Legal Brief: How's Your Forensics Strategy?

Are you among the fortunate minority who haven't yet had to conduct a computer-forensics investigation? That doesn't mean you don't need a strategy. The production of electronic documents during a lawsuit--eDiscovery--is increasingly crucial in modern litigation. Helping drive this trend are recent amendments to the Federal Rules of Civil Procedure--the legal code governing discovery during civil litigation in federal court--which formalize and create new requirements regarding eDiscovery.

So what strategy should you take? A forensics product or service provider can fill a specialized niche unaddressed by eDiscovery vendors, which focus on restoring large amounts of data for searching, analysis and production to an opposing party (watch for our eDiscovery feature). However, within a particular lawsuit, an intense search of a particular system may be needed, requiring a dedicated forensic product. Recently, a Minnesota federal district court ordered a plaintiff to produce all relevant documents including those deleted and corrupted--a task beyond most eDiscovery products.

Having a forensics tool at the ready may provide flexibility that makes business sense. When preserving evidence in preparation for a discovery request, creating forensic-quality mirror images of systems provide numerous benefits. If the scope of the eDiscovery request concerns events or communications in the past, a properly created forensic image of the relevant systems' hard drives can help guard your company from claims of "spoliation" of evidence.

However, for all but the largest enterprises, justifying $100,000 for a good forensics tool is going to be tough. But forensic-quality imaging tools--rather than a full-blown forensics system--are available at a fraction of that cost, deferring the cost of analysis until you need it.

The advantages of having in-house imaging capabilities robust enough to withstand the rigors of litigation extend to other areas of IT as well. In particular, information security will get a shot in the arm. As any investigator will attest, in the rush to diagnose and respond to a security incident, well-intentioned IT staff often change or destroy critical evidence. In the heat of the moment, the scope and implications of a particular incident are notoriously difficult to assess, meaning that the window of opportunity to image a system usually slams shut. Proactively developing this capability lets you respond to security incidents with the full force of the law when required.Later, when the time arises for actual forensic analysis, choosing a vendor or service provider can be difficult. Keep your eye on the end game: Although most cases settle, your hired guns may need to provide expert witness services. Ensure that they have experience being deposed, writing clear expert reports, as well as appearing in court. The dearth of actual trials prevents experts from gaining much courtroom experience, but the people you hire ideally should be qualified as experts in multiple courts. Recently the U.S. Court of Appeals for the Sixth Circuit confirmed that witnesses testifying about forensic evidence must meet the requirements for expert testimony, suggesting that these requirements will become standard.

Also ensure that the forensic tool used can meet evidentiary requirements. Veteran vendors offer extensive guidance, while the National Institute of Standards and Technology Computer Forensics Tool Testing Project, started in 2003, offers public testing results of imaging and associated products, with plans for analysis tools.

Although forensic products tend to evolve slowly, new eDiscovery requirements and the increasing sophistication of corporate infosec practices suggest that you re-evaluate your forensic readiness. Larger organizations should consider developing an imaging capability in-house to reduce costs, while others should preselect a service provider and negotiate rates if repeat use is likely.

Patrick R. Mueller, CISSP, is completing his law degree at the University of Wisconsin-Madison and will be joining the privacy compliance practice at Wildman Harrold Allen &Amp; Dixon, LLP, in Chicago. Write to him at [email protected].