E-DISCOVERY 101: Where Can You Find Computer Related Evidence?
 By Todd L. Dietrich and Gregory Fordham

Introduction
Individual PCs and Laptops
Mining File Servers and E-Mail Servers
Company Firewall, Router, Phone System and Security System Logs
What You Can Use From PDAs and Mobile Phones
Locating Good Evidence on Backup Tapes and Removable Media

It is estimated that over 95% of ALL documents created, are created in electronic form before being reduced to paper, if they are reduced to paper at all.  Given, the ubiquity of computers in the workplace and now even in the home, under-standing Electronically Stored Information (ESI) and its potential impact in winning or losing the case is now more important than ever.  The recent changes to the Federal Rules of Civil Procedure only cement that reality.

Why should Paralegals care about ESI?  The first reason is rooted in the above statistic.  Almost without exception, every type of practice will encounter ESI at some point.  Thus, if it isn’t already, then ESI is something that you should be seeking and producing in discovery.  A second reason lies in the past, where the task of sifting through boxes and boxes of produced documents, searching for the elusive smoking gun, fell to paralegals.  While this will remain a staple of a paralegal practice for the foreseeable future, paralegals will also be pouring over large quantities of produced ESI for the same purpose.  Lastly, paralegals also are often assigned the task of locating appropriate experts, both consulting and testifying. 

So, the better the understanding that paralegals have of how ESI is created, deleted, stored, preserved, analyzed and produced, the better position they will be in when reviewing ESI for the smoking gun and in doing the leg work involved in selecting an expert to assist with the ESI discovery issues.

1. Individual PCs and Laptops (Work and Home)

Unbeknownst to most people, Microsoft Windows tracks a sizeable amount of the activity conducted on a computer.  This includes all system starts and stops, network logins, drastic calendar/clock changes, printing events, connection of peripheral devices, any saving or creating of files, and one thing that most people are unaware of, is that it also tracks to some degree, the programs that are run.  All of these elements can, and usually are, quite relevant to a lawsuit. 

Primarily evidence of these events will be found in active space, although it is possible to locate such evidence in unallocated space as well.  The following should help provide an understanding of the meaning of those two terms. 

• Active or Allocated Space
  
  Active or Allocated Space on the hard drive refers to areas that have been assigned and are being used by the file system at a specific moment in time.  There is not an actual physical area on the hard drive set aside for active data.  Allocated space can be found just about anywhere on the hard drive, likewise for unallocated space.  Files located in allocated space do not require special tools to view or recover them.  These types of files include: visible files, which are files that can be viewed by default in Windows Explorer; and hidden files, which are files that can be viewed in Windows Explorer when the “View Hidden Files” option is selected.  Evidentiary information can be found in numerous places in active space on the hard drive.  Some of these areas include:
• Link Files
  
  Link files are simply shortcut files that point to other files.  The icons on your computer desktop are actually link files.  They point to locations like My Computer or My Documents, and to applications like Microsoft Word, AOL, iTunes etc etc.  These are not the actual locations, or application files themselves.  However, internal to these files is a path statement for the actual file or folder to which it is pointing.  You can view that information by viewing the link file's properties, as illustrated below.

The information to the right is visible by viewing the same Firefox link file as above using the forensic software program FTK.  The Creation, Last write and Last Access dates that are shown, are actually for the target file that the link file is pointing to, and not the link file. 

One interesting use of link files is to determine when a file that is no longer resident on a system may have been active on that system.  For example, you may find a link file pointing to a file contained in a sub-folder in the user’s My Documents folder.  However, upon examination of the My Documents folder it is revealed that the subfolder and file no longer exist.  An analysis of the link file can help determine when the target file was actually present on the system.