top of page

Sidestepping Roadblocks in eDiscovery and Investigations

Updated: Jul 6, 2023

Years (pronounced dĕ-kāds′) ago, a backpacking trip in the mountains ended one day earlier than we expected, so we looked for a short, overnight route to hike. About that time, it started snowing. The temperature had dropped overnight and throughout the day, so the snow began to accumulate in the grass almost immediately. We identified a short hike to a waterfall that would fit our time window (that’s an additional story, actually), and headed that direction in the truck. That was when snow began accumulating on the road. On the way to the trailhead, we encountered a gate closed across the road—closed due to the snow. But was it really? The lock hanging from the gate was not latched. It was just hanging from the bracket on the gate. From 50 feet away, it looked like we had arrived at a dead end with the gate across the road, but as we pulled up to the gate, we could clearly see that the gate was not locked. I’ll stop that story there, but fast forward to another road and another gate. This one WAS locked. The padlock on the gate was not coming off. Rats. Now, on either side of the gate blocking the road were posts cemented into the ground to block vehicles from driving around the gate. As we started to conclude that we were truly at a dead end this time, we noticed one of the posts blocking the right of way at the gate was leaning. Closer inspection showed that the entire post, including the cement blob at the bottom of it that anchored it in the ground, was loose. The entire post, cement blob and all, lifted right out of the ground, leaving a gap wide enough to drive a truck around the gate. Another roadblock that wasn’t. Again, I’ll stop the story there.


Are you imposing roadblocks in your investigation or in discovery that are not really roadblocks upon closer inspection?


For example, during a meet and confer, opposing counsel states, “My client bought a new cell phone since the incident, so we don’t have the information you asked for.” That might not be the case. Have you noticed how much easier it has become to transfer data from an old phone to a new one? You might be surprised at what data gets carried forward from a previous device, potentially including data relevant to your matter.


“My phone is set to delete text messages after 30 days, so I don’t have those messages anymore.” Even if the messages themselves are not available or recoverable, other data may remain after the text messages are deleted, including the date/time of messages and the phone number that sent or received them.


“My phone isn’t set to retain that information.” Well, that may be true. However, in some instances, the device still captures the data, but does not display it to the phone user. Or if a setting has been recently changed, data from before that change may remain on the device, but simply is not displayed to the user or collected from that point on. Old data may still exist.

“IT looked at the employee’s computer, and the employee had used private browsing and deleted the downloaded files.” Many forensic techniques yield data that is not found through techniques commonly used by IT personnel. A forensic examination may uncover a wealth of artifact indicating the employee’s activity on the computer. Even if downloads or other files have been deleted from a Windows computer, they may be recoverable, and artifact may remain providing insight into user interaction with the download.


“We’re not going to search employee phones because our policy prohibits using personal devices for business purposes.” We all know that employees do not always follow policy. Remember the saying, “There’s what the manual says, and there’s how we actually do things.” Why would a policy regarding smart phone use be any different? That being said, does the existence of a policy relieve counsel of the obligation to inquire about such data?

Finally, while more and more attorneys are beginning to see smart phones as sources of potentially relevant ESI, it’s still only the beginning. An extraction from a smart phone can provide indications of online repositories (e.g., Dropbox or Google Drive), personal email accounts, ephemeral or encrypted communications (e.g., Signal, Snapchat, and WhatsApp), and other useful data. Hidden apps and folders, such as photo galleries, are generally laid bare in a forensic collection. You won’t know what’s there until you look.


Talk to Invenius about whether an apparent roadblock can be circumvented. You might be surprised.

6 views0 comments

Comments


bottom of page