Let me share with you the interesting case of Blythe v. Bell, (2012 NCBC 42 (N.C. Super. Ct. 2012,  There, defendants engaged an outside “expert,” Tom Scott, owner of Computer Ants, for e-discovery work. Defendants’ counsel failed to conduct any intervening review Scotts’ work. Instead, defendants relied exclusively on Scott to conduct a privilege review, among other things.

Unfortunately for defendants, Scott had “never provided any forensic computer services in the context of a lawsuit,” and had never “been engaged as a computer expert or provided an opinion in any legal proceeding.” Rather, Scott had worked as a “truck driver, a Bass Pro Shop Security Manager, a respiratory therapist, and a financial auditor for a retail seller.” Put differently, Scott had no experience in e-discovery.

The Court found that Scotts’ paucity of qualifications to serve as an e-discovery “expert” rendered the defendants’ actions particularly unreasonable. Consequently, defendants produced nearly 2,000 pages of otherwise privileged documents to the plaintiff.

Lesson here is that, if you have e-discovery issue or digital forensics issue, don’t call the computer dude or dudette you use to fix your slow computer, or printer, or to set up your wireless network.  That person and a digital forensics expert or e-discovery consultant will rarely be one and the same.


The author, Sean L. Harrington, is a law student and digital forensics examiner, information security professional, and e-discovery, trial, and litigation consultant with the private practice firm of Attorney Client Privilege, LLC, and a risk management team lead for US Bank. Harrington holds the MCSE, CISSP, CHFI, CSOXP, and LexisNexis CaseMap support certifications, served on the board of the Minnesota Chapter of the High Technology Crime Investigation Association in 2011, is a member of Infragard, a member of Century College’s Computer Forensics Advisory Board and [erstwhile] Investigative Sciences for Law Enforcement Technology (ISLET) board, and is a council member of the Minnesota State Bar Association (MSBA) Computer & Technology Law Section.

Between law school and the CISSP, CSOXP and CHFI exams, I guess I must not be doing a good job keeping up with current events.  If I had, I would’ve known about this November decision from the the U.S. Court for the Middle District of Pennsylvania, where a judge is characterized in an article by Dan Goodin as saying, “a hard drive is comprised of many platters, or magnetic data storage units, mounted together,” and, therefore each platter constitutes its own separate container and the lawful acquisition of one didn’t breach the others.” What?!

Indeed, that genius bit of reasoning was the basis of a suppression order, finding that a landlord’s eviction of a tenant and subsequent discovery of child pornography would have given way to a valid gov’t seizure under the private search doctrine if prosecutors had limited their activities to the same file search employed by the landlord rather than a file-signature inventory.

I’m all for the Exclusionary Rule –which is on the brink of abolishment– as a deterrent for police misconduct, but the problem with this reasoning is that the separate internal platters of a hard-drive are certainly not separate containers.  Individual files are stored in sectors and often span across several platters.  A Windows file search would access the same sectors that an EnCase hashing routine (discussed in the opinion) would access.  The judge’s reasoning would have been valid if there was more than one hard-drive in the computer and the landlord’s search was confined to one, but the Government had accessed the others [without a warrant].

Whereas Goodin didn’t pick up on this, I was relieved to discover that another blogger, Rich Cannata did. In his December 11, 2008 post, Rich wrote:

Wow.  While the Judge deserves some recognition for an attempt at technical savvy, this analogy falls quite short.  Under the guise of this analogy, the geometry of the hard drives platter’s determined what is searchable and what is not.  If the target is a 500GB Seagate drive with four platters and eight read/write heads, is less data is to be considered within the scope of the search than if the exact same information were stored on a 500GB Samsung drive with one platter and two read write heads? If the data is stored on a RAID array, how do you determine which platters in which drives are within the scope of the search?  The judge also skips over the fact that even in the Runyan case, there were two recording surfaces for each floppy disk.  Since the introduction of MS-DOS 1.1, the Microsoft operating system has used both sides of a diskette, these are distinctly two separate recording surfaces of a floppy disk, yet it appears to the computer user as a single “container”.  Using the single platter logic, in the Runyan case, they would have only been within bounds to search the side of the floppy disk that contained the file that the third party found/viewed.  In this context, it appears that a logical volume should be the boundary for a container, but, with the advances in drive density, considering this as a boundary is disconcerting.

Tomorrow afternoon, I am taking the CHFI exam.  While studying through the official 2,721 page exam courseware, I encountered a “case study” that was laughable.  Let me share it with you

TargetMac and OneMac are two magazines that cater to the growing Ipod users. The CEO of TargetMac is Bryan Smith and the CEO of OneMac is John Beetlesman.  Bryan  calls John one day and convinces him to purchase TargetMac.  The lawyers of both companies were called in to finalize the deal.  The lawyers draft the sale contract, which restricts removal of sensitive and confidential information and non solicitation of TargetMac customers and working staff. A non compete clause was also added in the agreement.

It has been two years and John Beetlesman is suspicious about Bryan’s activities.  John suspects Bryan has breached the contract.  John knows that you are a CHFI professional and provide computer forensics services to his clients.  John’s company lawyer, Smith Franklyn, contacts you to investigate and provide evidence to support the breach of contract so that John can file a lawsuit against Bryan at local civil court in San Francisco, California.

How do you investigate this incident?


1. You want to examine hard disk and laptop computers of Bryan’s home and office for evidence.
2. You ask the lawyer Smith Franklyn to obtain a search and seizure warrant at Bryan’s home located at 37 Albert Avenue, San Jose and his office located at 46, Mathew Street, Santa Monica.
3. Smith Franklyn works with the local District Attorney to obtain the required search warrant.
4. Smith Franklyn and you visit Bryan’s home and seize his computer which is a HP Pavilion Model 1172.
5. You later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.
6. You place the devices carefully in anti-static bags and transport it to the forensics laboratory.
7. Create a bit-stream image of the hard disk using tools such as R-Drive and Linux dd commands.
8. Generate MD5 or SHA-l hashes of the bit stream images.
9. Prepare the chain of custody and store the original hard disk in a secure location. You would be investigating the bit stream image copy.
10. You are ready for investigation.
11. You are asked to retrieve: a. Any document in the computer which shows proof for breach of contract.
12. You load the bit stream image in AccessData Forensic Tool Kit (FI’K) and browse every single file in the file system.
13. You also read every single email displayed in FTK.
14. After many days/nights of investigation you retrieve the following crucial evidence:

a. Encrypted file titled “Business Plan AppleMac Magazine”
b. Excel spreadsheet “revenuestreams.xls”
c. Numerous email messages back and forth with his investors.

15. You run a password cracking utility to crack the encrypted file “Business Plan AppleMac Magazine.doc” and the password was “planapple”.
16. These above documents clearly indicate that his new business would compete with TargetOnes’s business.
17. You copy these files to a CD-ROM.
18. You use FTK report facility feature and produce a professional report.
19. You deliver the report to the company along with the fee for the forensics service you rendered.

Based on your submitted report the lawyer, Smith Franklyn initiates a $20 million lawsuit against Bryan. After two weeks the court of law holds Smith Franklyn Bryan guilty and asks to pay the amount.

In my judgment, this portion of the courseware was not written with the aid of an attorney.  First, in a civil matter –contract breach– one doesn’t obtain a “search and seizure warrant” with the aid of the district attorney.  A plaintiff first files suit, then issues a narrowly tailored request for production (or subpoena, if it is third-party property) and then awaits opposing counsel’s Motion to Quash and for Protective Order.

Second, assuming the Court finds that the suit is not a fishing expedition (which this fact situation appears to be), an adverse would never be entitled to “visit Bryan’s home and seize his computer . . . and later visit Bryan’s office and seize his laptop, floppy disks and CD-ROMS.”  Instead, one would expect to retain a third-party vendor to search for potentially-responsive ESI or the court would appoint a special master for that same purpose.

This calls to mind a recent decision by the Colorado Supreme Court in November in the case of Cantrell v. Cameron, 195 P.3d 659 (Colo. 2008) (en banc).  The case arose from a traffic accident in which the allegedly negligent party (Cameron) was accused of using his laptop computer while driving.  Cantrell asked to inspect Cameron’s laptop for evidence that it was in use at the time of the accident.  Cameron agreed to a limited inspection, but wouldn’t produce the laptop without a written agreement limiting the scope of the inspection.  Whereas Cameron insisted the scope be limited “to the time of the accident,” Cantrell understandably wanted a broader search to confirm that there had been no subsequent manipulation of the hard drive.  Cantrell sought an order to compel, which the trial court granted.  Cameron then filed for a writ of prohibition with the state’s Supreme Court.

In its ruling, the Colorado Supreme Court noted:

personal computers may contain a great deal of confidential data.  Computers today touch on all aspects of daily life . . . they are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries, and more. Very often, computers contain intimate, confidential information about a person. When the right to confidentiality is invoked, discovery of personal computer information thus requires serious consideration of a person’s privacy interests.

195 P.3d at 661. (quotations and citations omitted).As a result of these findings, the court concluded that the trial court abused its discretion in issuing an unqualified order directing Cameron to produce his laptop for inspection and without establishing parameters to balance the truth-seeking purpose of discovery with the privacy interests at stake.

In my opinion, Cantrell had a right to ascertain that the hard-drive had not been tampered with, which required inspection of the entire drive. In most cases, I would argue that the entire hard drive is certainly needed, although a very small fraction of ESI on the drive will be relevant.

By way of example, I was very recently involved in a case where I obtained the entire hard-drive for inspection.  All the data sought resided in slack-file space, deleted files and printer spool files (documents drafted in MS-Word and sent to the printer, but never saved, probably in an effort to leave no record).  Obviously, opposing counsel would not have been able to direct his client to extract that information (let alone produce it in a readily usable form).

The answer to this dilemma, which would not have conflicted with the Colorado Supreme Court’s ruling, is: (a) to craft a narrowly-tailored discover request that is limited in relevance to the case but specific enough to overcome efforts to conceal data; and (b) to retain an third-party vendor (or ask the court to appoint a special master); and (c) to provide the forensic analyst with as much specific guidance as possible to discover potentially responsive data.  When questions arise as to whether data discovered is relevant or privileged, they may be resolved by an in camera review or the special master, if applicable, will make that call.

The Maryland Court of Appeals issued a decision yesterday in Independent Newspapers, Inc. v. Zebulon J. Brodie protecting the identity of anonymous Internet posters and, for the first time, offering guidelines for that state’s courts to follow in libel cases before compelling disclosure of online commenters’ identities.

The five-step process the court adopted was borrowed from Dendrite Int’l, Inc. v. John Doe No. 3, 775 A.2d 756 (N.J. Super. Ct. App. Div. 2001) and explicated in detail in yesterday’s 43-page majority opinion. It seeks to help trial courts “balance First Amendment rights with the right to seek protection for defamation” by suggesting they:

•Require that plaintiffs notify anonymous parties that their identities are sought.•Give the posters time to reply with reasons why they should remain nameless.

•Require plaintiffs to identify the defamatory statements and who made them.

•Determine whether the complaint has set forth a prima facie defamation, where the words are obviously libelous, or a per quod action, meaning it requires outside evidence.

•Weigh the poster’s right to free speech against the strength of the case and the necessity of identity disclosure.

For further reading, see:

In a letter to the Chair, Hon. Lee Rosenthal, of the Committee on Rules of Practice & Procedure (Judicial Conference of the U.S.), Senator Joe Lieberman observes that “The goal of [Section 205(e) of the E-Government Act ] . . . was to increase free public access to these records,” and demands to know why access to PACER isn’t free and also why “not enough has been done to protect personal information contained in publicly available court filings.

Further reading: John Schwartz, An effort to upgrade a court archive system to free and easy, New York Times (Feb. 13, 2009)”

Minneapolis photographer Chris Gregerson recently prevailed in a copyright infringement suit against a real estate photographer who used his photos on a Website and in advertising.  More interesting than the $19,462 award: (1) the plaintiff won at trial even though he was pro se and (2) the photos at issue used digital watermarking, where a copyright notice was placed inside the EXIF metadata. Judge Montgomery found that the defendant willfully removed both the visibible watermark, as well as the EXIF metadata, resulting in an award of statutory damages.  The findings include some other good flavor: the defendant allegedly forged a falsified contract with an allegedly fictitious seller, and the notary for the contract resigned his notary license.

Prior to digital watermarking, photos just had to look the same.  Add Metadata to the mix, and a plaintiff can have near-conclusive proof of infringement.

Decision, coverage, and Gregerson’s site documenting the ordeal.

The NY Times blog Bits discusses whether IP addresses constitute personal information under privacy law.  Google argues that IP addresses cannot, in isolation, identify a person. But the author counters that the IP address, when used in conjunction with other information (e.g., from an ISP), can identify a person. The author likens an IP address to a retail closed-circuit camera that does not, alone, identify shoppers. But when the video is connected with a shopper’s purchase, or with government-provided photos (e.g., drivers license), they can easily identify the person.

The author contends that because IP addresses can personally identify users, it does not fall within the two realms currently considered by privacy law: (1) personally identifiable information and (2) that which is not.  As such, lawmakers should consider whether a third category is appropriate: “partially personal information.”

This is an intriguing concept that would change the privacy area’s current black-and-white thinking: from a binary “yes” or “no” response to a system with a middle ground. Google’s global privacy counsel apparently agrees that a sliding scale within this third category is a good idea, pointing to scholarship in this area.

One thought that readily comes to mind is this: isn’t a huge swath of relevant evidence “partially personal information”?  If an investigator talks to the cashier at my favorite lunch spot, he can identify me. Did he just divulge “partially personal information”? The cash-register receipt has partially personal information (the last four digits of my credit-card number).  In nearly every criminal or civil case, litigators daily put together this “partially personal” evidence to connect the dots for the decision-maker. Would my cash-register receipt be subject to state or federal privacy law?  If I tell the cashier to keep it, should he be required to throw it in a shredder, lest this “partially personal information” get into the wrong hands?

The concept of a sliding scale is good, but it would take careful crafting of definitions for this idea to get traction.

I.P. Address: Partially Personal Information [NY Times]

From the Court Information Office, for immediate release (Nov. 16, 2007)

[Those] interested in looking up a Minnesota trial court record will find the task easier as of noon, today, when access to some trial court records became  available through the web site of the Minnesota Judicial Branch. ( <> Records for the Supreme Court and the Court of Appeals became available through the web site earlier this year. Until now, however, anyone interested in looking up a trial court record could only do so by going to a public access computer terminal at a courthouse.

The new service allows a viewer to search criminal cases by case number, defendant name or attorney name. Name searches will be limited to cases where at least one charge has resulted in a conviction. The on-line search will also not list addresses.

Civil, family and probate cases can be searched by party name, case number or attorney name.  The system will also allow for searches of court calendars by party, business name, case number, judicial officer or attorney name.

“Our staff has been working hard for several years to create a single, state-wide court record system,” said State Court Administrator Sue Dosal. “Remote access to court records via the Internet is one of the many new benefits creation of a single system will allow.”

The service, Minnesota Public Access Remote (MPA), is a public view of the new trial court records system, the Minnesota Court Information System (MNCIS).  MNCIS, which was created by merging 10 different databases and multiple case management applications, includes more than 9 million case records dating back to the mid-1970s. The final two pieces of the system, Ramsey Country court criminal case records, and Dakota County Court records, will be added to the system in early 2008.

The new statewide case records system allows the Judicial Branch to share court records with other justice system agencies, including police, prosecutors and corrections officials.

Court officials are discouraging use of the MPA service for criminal background checks. The Minnesota Bureau of Criminal Apprehension offers a criminal background check service that links prior criminal history through fingerprints to verify identification of the individual. The MPA service for court records cannot provide this level of verification.

Court officials cautioned that name searches conducted through the MPA service could be unreliable because the person identified in the search could have the same name, birth date or other identifiers as someone else. In addition, criminal offenders frequently use aliases, including the names
of others.

The court system staff has been working to eliminate duplicate records and mistaken entries as the new system has been built. Court officials are hoping people who find an error in a court record will notify the courts so the record can be corrected. Viewers will not be able to modify the case records. Only court administrators can authorize changes.

“Many, many people have worked very hard over several years to convert a fragmented, hard to search, outdated case records system into this new, state-of-the art case management system,” said Sue Dosal.  “In the coming years, the creation of MNCIS will allow us to add many new capabilities and services that will benefit court employees, court policy makers and the tens of thousands of people who interact with Minnesota’s courts each year. We envision adding services such as e-filing of cases, remote payment of court fines and fees, up-to-date accounting information and much, much more.”

“Robert Hanson, our Chief Information Officer, and his Information Technology staff and the hundreds of court employees who worked on this project have developed a system that will benefit Minnesotans for years to come.”

Some believe strongly that open access to case information, such as bar disciplinary proceedings, is necessary in order to determine whether self-regulation adequately serves the public interest. See, e.g., Attorney Discipline Web Data Uneven, Nat’l Law Review, Sept. 10, 2007.

A Web site maintained by the North Dakota Supreme Court provides a statement of issues and briefs in advance of oral arguments and then the audio of oral arguments afterwards. Click herefor one case example.

For related topics, see also Availability of Online Resources May Be One Reason for Reduction in U.S. S.Ct. Caseload and Google aids public record accessibility.