A multi-part series on the essentials practitioners need to know about ESI collections
In “Collection and the Duty of Technology Competence,” we discussed lawyers’ duty of technology competence and the importance of understanding collection to fulfilling that duty. In “The Broad Scope of Collection,” we discussed the potential legal and technological scope of collection. In “How Computers Store ESI,” we discussed the operation of computer memory. In “Collecting and Recovering ESI from Computer Memory,” we discussed the technical process of collection. In this Part, we review the intersection of that technical process with legal requirements.
The ultimate goal of evidence collection is the eventual use of some of that evidence in court, whether by you or another party. The admissibility of a particular piece of evidence at trial turns on a variety of factors, including its relevance, its potential for prejudice, its status as hearsay, etc. The most foundational of the requirements offered evidence must satisfy is that it must be authentic, i.e. it must actually be whatever it purports to be. This is essential for the obvious reason that fake or falsified or altered materials cannot carry any weight as evidence; fake evidence makes no fact more or less true and is, therefore, irrelevant to the proceedings.
The process for establishing evidentiary authenticity is laid out in Federal Rule of Evidence 901. To establish authenticity, “the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.” Satisfying this requirement for ESI means being able to demonstrate that an offered file comes from where you say it does and has not been altered from the original, i.e. that you’ve maintained forensic soundness and chain of custody.
Forensic soundness is a widely used phrase in the discussion of forensic collection and investigation processes that lacks a precise legal or technical definition. It is used generally to describe tools and processes that can be relied upon to capture evidence in a way that does not alter or corrupt that evidence, and which conforms to accepted industry best practices. For working with ESI, the National Institute of Standards and Technology actually tests the operation of available forensic tools (like the write blocking and disk imaging tools we touched on in the last Part) and provides public reports on their soundness.
In the context of eDiscovery, ensuring forensic soundness generally means capturing exact copies of relevant files, with any relevant metadata intact, and then working with copies of those copies, to ensure preservation of an unaltered original set. The precise technical steps required to achieve that goal will vary by ESI source and collection tools employed, and the currently-accepted industry best practices for various source types continue to evolve as the technology does, both in practice and in court. For this reason, using a qualified forensic expert (or at least consulting with one prior to collection) is recommended to ensure currently acceptable processes are employed.
Metadata, broadly speaking, is data about data. In the context of ESI, every file on a computer or mobile device contains not only the user-facing content you would see if you opened it but also a diverse array of information about the file itself. Common examples include the time and date sent for an email, or the author and last modification date for an Office document. This additional information is the file’s metadata, and it is an important part of collection and discovery in most cases.
The specific metadata fields available will vary with the specific file format. For example, music files typically include artist and track information in their metadata. Photo files may record where and by what device they were taken. Email files will document their attachments. Available fields will also vary with the source application. Application metadata ranges from the very widely-used (e.g., date and time created) to the very application-specific (e.g., tracked changes in a document or hidden content in a spreadsheet). Additional metadata about files will also be generated and maintained by the system on which they exist (e.g., file path).
In terms of evidentiary value, we are most often concerned with metadata revealing when things were done (e.g., when something was created, modified, sent, or received), but there may be relevant evidence in other types of metadata, and there is enormous process value regardless. Metadata values are the basis of many filtering, sorting, and searching options within document review tools. For example, metadata is what enables you to keep emails and attachments in family groups, to filter for emails to or from a particular address, or to search for keywords within email subject lines. The more data about your data you have, the more creative and efficient you can be in your exploration of that data before and during review.
Because of both its potential evidentiary value and its enormous process utility, metadata has become an expected (and sometimes required) component of many ESI productions (see, e.g., DOJ production protocols or Sedona Principle 12). Unfortunately, metadata is also easily altered if files are not collected and handled correctly. For example, accessing and copying original files without safeguards like those we discussed in the last Part can alter metadata, as can forwarding relevant emails instead of collecting them directly, either of which would destroy forensic soundness, reduce utility, and potentially impair admissibility.
Chain of custody refers to documentation of the path a piece of evidence has traveled from its point of origin to its eventual submission in court. It typically documents places, times, and people involved in the handling of the evidence, as well as any relevant processes employed. Its purpose is to demonstrate that a piece of evidence submitted in court is what you claim it is, from where you claim it’s from, and unaltered, as required by Federal Rule of Evidence 901.
Although the concept originates with physical evidence, it is equally applicable to ESI collection and handling. Thus, carefully documenting your collection efforts and subsequent ESI handling is another important part of ensuring the reliability and later admissibility of the ESI you collect. In addition to your chain of custody documentation, an individual responsible for the collection and data handling may need to submit an affidavit (or provide live testimony) describing the steps taken, the tools used, and how they ensured forensic soundness and chain of custody were both maintained from the point of collection through to the submission as evidence.
Upcoming in this Series
In the next Part of this series, we will review some of the available collection approaches and tools for implementing them.