Many attorneys and lit support personnel work with EDD consultancies all the time, but few know how long each of the processes these companies perform usually takes.  I've laid out a first-person view of a computer's journey from collection to load file creation below.  Keep in mind that there are an incredible number of variables that can affect these processes; below is just what happens if everything goes totally smoothly, everyone answers their phones, you find what you're looking for on the first pass, no computers are damaged, no software encounters unusual errors and no custodians are hostile.  Since we almost never encounter such a fabled "perfect case," take this timeline with a grain of salt, but keep in mind that at least a few of these processes are usually pulled off without a hitch.

Monday

7:15am - Washington, DC - Well, today's the day I get duped.  Ms. Attorney has earmarked me as a computer to be collected.  My owner dropped me off in the "collection room," the room that our office usually uses as an extra conference room.  The e-discovery/forensic guys are on their way from about an hour north.  They should be here shortly.  Travel time, by car: 1.5 hours

8:45am - They're here.  The EDD guys just showed up with a few bags of rolling luggage each, and they're talking with Ms. Attorney.  Speaking with Ms. Attorney, overview of what's going to happen today: 15 minutes.

9:00am - Now they're getting set up.  They're pulling wires, computers, and all sorts of electronic gadgets out of their bags and powering up their laptops and other equipment.  Set-up time: 10 minutes.

9:10am - Looks like I'm first to be duped.  The EDD guys are taking down my model number, serial number, BIOS time, hard drive information; basically, doing a whole bunch of documentation.  Documentation: 5-15 minutes/machine

9:15am - There's a lot of wires connected to me.  I think they're about to start creating a forensic image.  Forensic duplication: approx. 1 hour/60-80 GB hard drive (average size for a 1-3 year old laptop)

10:15am - Duplication's done.  Now there are two of me; one in my original laptop casing and the other in the possession of the EDD guys.  I'll be narrating from the copy in the EDD guys' possession from here on out.  They've got a few other computers duping simultaneously now.  The room is getting warm from all these wires, computers and moving bodies.  Duplicating the rest of the machines: 2.5 hours

12:45pm - We're all done here; they've imaged all the laptops they needed.  Time to get transported back to the lab up in Columbia, MD.  Travel time, by car: 1hr

1:50pm - Columbia, MD - We're back at the EDD office.  I'm in a lab computer, and they're going to make what's called a "working copy" of me.  This way, the EDD folks have an extra copy of me on which they can do all their processing, and the original evidence copy they made, which will be secured in a safe.  Creating working copy of this drive: 20-30 minutes

2:15pm - OK.  Working copy created.  My other copy, the evidence copy, was put in the safe.  Now it's time for me to be hashed and indexed.  Hashing is the process through which each file receives a unique "number," generated from its content to act as a check which ensures that the file never changes.  If the file does change, a newly generated hash will not match the old one.  Creating an index means that keyword searches performed on me will be nearly instantaneous, just like books that have indexes make words easier to find in their texts.  Hashing and indexing this drive: 8-10 hours (+2-5 additional hours to retrieve deleted data)

Tuesday

1:00am - Wow, it's late.  Nobody's here.  Guess I'll have to wait until morning for anything new to happen.

8:15am - The lights are on.  They're going to do a few keyword searches that Ms. Attorney emailed out to them late last night.  Keyword adding and searching (with index): 5-10 minutes/image

9:00am - Found a number of files. They're talking with Ms. Attorney about what they found.  I believe Ms. Attorney wants some load files created from the responsive files.  She's giving the specs to one of the EDD guys now.  Speaking with Ms. Attorney about results, advising, getting load file specs: 20 minutes

9:20am - They've got the specs.  Now it's time to export the responsive files and set up the load file generating software to create the load file Ms. Attorney requested.  Exporting 2 GB of responsive files from the images and setting up load file software: 1 hour

10:20am - They're going to start generating the load file.  At this point, the 2 GB of responsive data will quadruple in size from the TIFF and OCR process to 8 GB total.  Load file creation: 2 hours (approximately 1 GB/hr)

12:20pm - They're making sure everything went smoothly with the load file creation.  Troubleshooting items that failed to properly OCR, de-blank, get stamped, TIFF, etc: a little over an hour

1:30pm - They're sending the data to the data hosting company used by Ms. Attorney.  The data will be up in a day or two, depending on the speed of the data hosting company, and then the review process will begin.  Time until data will be available for review online: 1-2 business days, depending on the company.

There you go!  If anyone can shed some light on the time attorneys take for some of their EDD processes, we'd love to hear it!  Shoot us an email at This e-mail address is being protected from spambots. You need JavaScript enabled to view it with what you've got (whether it be a link to a blog or article you wrote or just your two cents), and we'll give you a shout on our twitter.

The economy is still in bad shape, and one way companies are cutting costs is by opting to ship computers to their forensic vendors instead of paying for onsite work.  This is a very economical alternative to paying a for a consultant's travel expenses (airfare, hotel, meals, etc.).  That being said, there are several things one should consider when shipping computers to their forensic vendor's office.

• 1. Include the power supply. Most of the computers Jones Dykstra receives in the mail are laptops, and most are without power supply. Usually, this is not a problem because the computer's hard drive is removed and is then duplicated using one of the vendor's computers. This is not always the case, though, as we occasionally receive a hard drive that refuses to cooperate and must be forensically duplicated in its original computer. In such a case, the forensic vendor must be able to keep the computer powered on long enough to forensically duplicate the hard drive. Many times, vendors will have assorted spare power supplies on hand, but the best way to prevent this problem is to include the power supply when shipping the laptop to your vendor to ensure you receive the computer back as quickly as possible.
• 2. Pack the computer carefully. This sounds simple, but more often than not, computers show up at our office in a ratty box with minimal padding. FedEx will not insure a laptop unless it is shipped in one of their laptop boxes. You can insure the computer monetarily and if it is damaged during shipment you can have it replaced, but what about the data it contained? Is that information replaceable? If a hard drive is smashed and the plates are cracked or broken, even the best data recovery lab in the country is going to have trouble recovering the data, and it will be quite costly. So take the time to pack up your computers right, and it will pay off later when they arrive at your vendor's office safe and sound.
• 3. Include any additional information or instructions with the computer. This is especially important if you are looking for an expedited turnaround from your vendor. Occasionally, Jones Dykstra will receive a computer in the mail with little or no information regarding from which client it was sent, or to which matter it pertains. When this occurs it usually prompts phone calls and/or emails in order to hunt down answers about the miscellaneous computer. If a set of detailed instructions and information about the computer is included it makes for a much smoother process.

When a restaurant closes and the last customer walks out the door, the employees don't just call it quits and follow them out.  There's a flurry of activity.  Dishwashers are running, the "daily special" board is wiped clean, floors are mopped and tables are reset.  But when some attorneys close a matter, they're just concerned with calculating their tips and clocking out.  Here's why making sure you've cleaned up after yourself, at least as far as your collected ESI is concerned, is worthwhile.

It could be costing you money.

Many computer forensic and EDD consultancies charge a monthly fee to store your data after a period of time stated in your initial engagement contract.  Those hard drives full of data are taking up hardware and space in these consultancies' secure rooms and safes.  These recurring fees can add up, especially when you have a large amount of data sitting around that is no longer needed.

Your client will thank you for it.

Your client wants to know that their information is being handled with care.  Once a matter is closed and the relevant data no longer needed, they want to know that their company information, employee records, and employee communications are destroyed and once again exclusively within their control.  Custodians involved also sleep easier once they've been notified by their employers that the forensic duplications of their laptops have been disposed of securely.

It might come back to haunt you.

Are those forensic duplications and other data still hanging around?  There are many cases in which an organization's lack of a document retention and data destruction policy (or the company's disregard for these policies) has resulted in a major negative impact for the company (see Murphy Oil USA Inc. v. Fluor Daniel Inc., or this article about Boeing's document retention mishap).  In both these cases, the companies made the same mistake: they retained emails and backups for far longer than their document retention policies ordered.  The files that they hung on to became discoverable, and they (or their cases) suffered for it.  Is it possible your client's data will become discoverable for another matter if it's known that these forensic "backups" exist?

Of course, you need to look at the legality of destroying your forensic duplications at a matter's close ("close" being the operative and ambiguous word), but barring any legal restrictions that compel you to hang on to the data from one of your matters, destroying it is more than just good housekeeping.  It could be keeping that data from being used against you.

So how do I ensure the data's been destroyed?

Once your matter is closed and you no longer need the forensic duplications and data collected, ask your consultancy to securely destroy it.  Ensure that you receive a "Certificate of Destruction" form that explains what data was destroyed, how, when, and by whom.  Heck, you don't even have to get your hands dirty.

The guy who runs the restaurant dishwasher only wishes he could say that.

While data collection may seem like a straightforward process, it rarely is.  There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection.  In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.

RAIDs

If the computer contains a RAID (Redundant Array of Inexpensive Disks), it is often necessary to run the collection through the computer without removing the hard drives.  Many servers store data using a RAID.  A RAID consists of several hard drives that are grouped together and (depending on the type of RAID) has saved data spread across all the drives.  A RAID may be used for a number of reasons, but they are most commonly used as a way to create extra copies of data in case of a single hard drive failure; if one of the hard drives fails, the data that it contains can be recovered because it was replicated (using an algorithm) onto the other hard drives that were in that RAID.

If the hard drives are removed from the computer containing the RAID, they do not maintain the structure of how the data is stored and are therefore unusable.  To help illustrate this, imagine that you cut out the words in a paper document and put them in a number of different boxes in a pattern that only you knew.  If someone mixed up all of the boxes, you would never again be able to read the document unless the boxes were put back in the exact order that you had them.  If the RAID hard drives are removed from the computer, they must be put back into the same RAID computer (which knows the pattern) using the exact hardware location that they were removed from.  Mixing up a single cable will make the data unrecognizable.  Inexperienced vendors sometimes pull these hard drives out of the system and don't keep track of how they were organized, and the data becomes unusable. 

Exotic and Legacy Computers

It doesn't take long for technology to become outdated in today's world.  It is difficult for all companies to keep all of their computers current, especially if the computers are still working and there is no reason to upgrade.  While this may work well for the company, it can cause your EDD vendor serious problems.  Older computers can cause problems for any of the following reasons:

• Computers might not have the proper connections to allow for the duplication of data.
• Older connections may only allow for very slow data transfers.
• Computers that have been running fine for fifteen years may inexplicably not turn back on after they've been shut down.
• Current forensic software may not read and process the data on the older computers, which would mean more hands-on (and more expensive) collection and processing work.

Despite the problems with exotic and legacy computers, there are sometimes work-arounds to get the necessary data, such as duplicating from back-up media such as tapes or other external media.  This is useful when examiners are concerned about harming the target computer.  Be sure to keep your vendor informed if your client has any exotic or legacy systems (and if backups of these systems exist) so that they can prepare as best they can.

An EDD firm that is informed of what a collection will entail (especially when dealing with the difficult items we've discussed here) will make for a much more successful and inexpensive collection.

While data collection may seem like a straightforward process, it rarely is.  There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection.  In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.

Magnetic Tapes

Tapes are an exception to normal collection and processing.  While they can be very useful to an investigation, there are a few things that make collecting and processing tapes much more difficult and time-consuming than other media.

• Tape data must be pulled through the software used to create it, much like a database. If you try to merely copy a tape, it will come out looking like garbage, since the program that wrote it is not there to "interpret" and make sense of it.
• There are many different software applications that can write to tapes, so finding out which program wrote the data to the tape may be difficult.
• Tapes come in many shapes and sizes. A tape drive is needed to "run" a tape, and different tapes require different tape drives.
• Tapes may contain data that is part of a series. The series must be reconstructed for the data to be properly viewed.
• When poorly labeled or unlabeled, finding the right sequence may be difficult or impossible.

Try to enlist the help of your client's IT to ensure you have the most information you can get (such as the info above) about any tapes you will be collecting.

Databases

Databases such as Oracle and Microsoft SQL aren't necessarily difficult to collect, but they are difficult to search and review once collected, especially if they are collected improperly.  Databases are stored in such a way that it is nearly impossible for a human to discern any information from them without the source (database) software to interpret it.

To help illustrate why one can't merely review a "duplication" of a database, imagine a several hundred page spreadsheet.  Now cut out the individual cells of that spreadsheet and mix them up with your eyes closed.  What you end up with (a jumble of random cells and numbers) looks a lot like the data that a database has stored.  The database software knows how to link the separated cells back together so that when you ask for certain cells it can retrieve them, but you cannot just print the database and look it over; it will look like a jumble of computer code.

Databases must be collected and reviewed a very specific way, so be sure to talk to your EDD vendor for advice on what to do after they've done the collection.