Computer Forensics v. E-Discovery: What Every Expert Should Know

Increasingly, the answers to the most fundamental litigation questions – the “who, what, where, when, and why” – are contained in electronically stored information (ESI), which can be retrieved through electronic discovery (e-discovery) and/or computer forensics.

Before you get to that crucial step, however, you need to understand both the applications and parameters of e-discovery and computer forensics as it can be critical to the outcomes of litigated matters.

E-Discovery and Computer Forensics

The primary focus of standard e-discovery is the collection of active data and metadata from multiple hard drives and other storage media.  Litigation can be supported by active data (information readily available to the user, such as e-mail, electronic calendars, word processing files, and databases), or by metadata (that which tells us about the document’s author, time of creation, source, and history).

Data collected in e-discovery can be limited; for deeper recovery, computer forensics is often used.

The goal of computer forensics is to conduct an autopsy of a computer hard drive – searching hidden folders and unallocated disk space to identify the who, what, where, when, and why from a computer. A significant amount of evidence is not readily accessible on a computer; when this occurs, a computer forensic examination is necessary.

Data Gathered by Computer Forensics

When we use computer forensics, we are typically retrieving specific, accessible, and inaccessible data, such as:

Automatically stored data: Data that is automatically stored by the computer, like with an automated backup. A file that has been purged from a server may still exist as a copy on the user’s hard drive.

Deleted files: “Deleted” but not destroyed. Deleted data can remain on a hard drive until it is overwritten or wiped.

Residual or “ghost” data: Data that remains recoverable from a computer system, but isn’t readily accessible, such as deleted files or file fragments.

System data: An electronic trail of activity on a computer or network.

Wiping software: If wiping software has been used, it can be detected with computer forensic software.

Preservation of the original evidence is critical.  Creating a mirror image of the storage device produces an exact replica, bit for bit, of the original device that allows investigation of past use without alteration of the evidence.

The Court’s View of Computer Forensics

In the last decade, it has become common for the courts to enter an order requiring the mirror imaging of hard drives and peripheral devises that could contain responsive and relevant evidence to an opposing party’s request for production. See, e.g., Communications Center, Inc. v. Hewitt, 2005 WL 3277983 (E.D. Cal, April 5, 2005).

However, computer forensics and mirror imaging have been constrained by the courts to avoid overly broad and intrusive measures without sufficient justification. In McMurdy Group v. American Biomedical Group, Inc. 9 Fed. Appx. 822, 2001 WL 536974 (10th Cir. 2001), the Court of Appeals found that mere skepticism alone of a party’s will to produce copies of relevant and non-privileged documentation isn’t sufficient to warrant computer forensics.

Courts have found, though, that reasonable conclusions about the potential whereabouts of relevant evidence can be justification for computer forensics. In Balboa Threadworks, Inc. v. Stucky, No. 05-1157-JTM-DWB, 2006 U.S. Dist. LEXIS 29265, 2006 WL 763668 (D. Kan. Mar. 24, 2006), the court ruled that computer forensics recovery was “particularly important” in this copyright infringement case because of the use of computers to allegedly download copyrighted material. Even though one defendant claimed that his computers were not used for the benefit of the business, the use of said computers to draft a document pertaining to infringement was reason enough to find evidence on any of the computers in question.

To avoid the denial of a request, it helps to create specific and limited requests. See e.g., Rowe Entertainment v. William Morris Agency, 205 F.R.D. 421, 427-28, 432-33 (S.D.N.Y. 2002), or Simon Property Group L.P. v. mySimon, Inc., 194 F.R.D. 639, 641 (S.D. Ind. 2000).

The Bottom Line

Computer forensics and e-discovery are both valuable ways to retrieve ESI, and countless cases have been critically bolstered by the ESI gathered in the course of an investigation and discovery process.

Because the discovery of ESI can easily become overly broad and intrusive, one must have a clear understanding of the issues when considering the deep-dive approach that computer forensics requires.

For more information, reference my article in “Dunn on Damages” from the Fall 2012 issue: Click here.

How to Find Electronically Stored Information

In our case study, gas station owner, Morris, has alleged that Green Fuel, a small gasoline distributor, overcharged him. Both parties had inadequate and unsophisticated documentation, making determining losses very difficult.

However, review of the parties’ sparse documents revealed Green’s electronically produced invoices for fuel sales to Morris, which meant that Green more than likely did have ESI available despite its claims to the contrary.  The new challenge became not only convincing Green that the information existed but also helping Green and its attorneys understand how it could be retrieved.

This is when it’s best to observe and understand the daily routines of the parties. Information-seeking interviews with personnel that regularly use the computer system, such as the accounting clerk or administrator are a good place to start.  Interview questions should seek understanding of the daily routine, including the functions regularly performed, and the tools used to accomplish those functions.

Observation of the performance of key functions will also aid in gaining an understanding of the computer system and the software programs used.

In the case of Green, the interview required a few hours with its accounting clerk to observe her daily routine, including the data processing of fuel deliveries, creation of computer-generated invoices and subsequent data processing of payment receipts.

At the completion of the interview, a plan was developed to extract the data from Green’s archaic system, which required a multi-step process including the use of more advanced technology.

A detailed discussion of the process is beyond the scope of this blog, but let’s just say that Green’s archaic system was able to provide electronic records of the gallons of fuel delivered to Morris, the date, and the amount charged – for all eight years.

With the ESI extracted from Green’s database, Morris’ economic loss claims were analyzed using two methods:

  1. As specified under the contract (“the contract method”) – This revealed not only was Morris not economically damaged, but that Morris had actually underpaid Green in excess of $1 million.
  2. As business was actually transacted (“actual performance method”) — Morris underpaid Green in excess of $700,000.

Morris’ claims were dealt a lethal blow by the analysis of relevant ESI.  Initially, Morris’ claims seemed somewhat feasible due to the lack of data by Morris and Morris’ “bet” that Green would never be able to organize and analyze the data to disprove his claims.

Morris had no way to prove his claims with reasonable certainty, but by using electronic data analysis, Green was able to disprove Morris’ claims (without question) and actually determine that Morris owed Green.  Morris dismissed his claims against Green only two weeks after the findings were revealed to his attorneys.

Adapted from:  “Unlocking the Potential of Electronically Stored Information in Damages Cases.”  Dunn on Damages – The Economic Damages Report for Litigators and Experts 4 (2011): 20-21.  For more information, visit

Electronically Stored Information: The Case Study

You might not think that a small business would have useful or accessible electronically stored information (ESI). Consider this example of identifying and obtaining relevant forensic evidence to determine lost profit damages with this particular small business.

Green Fuel (“Green”) was a small gasoline distributor who provided fuel to local gas stations. Green was owned by a gentleman in his late seventies.  He did not use a computer and his limited office staff included two office administrators, an accounting clerk, and a manager.

Green was a defendant in a state court case where numerous claims were made by Morris, a gas station owner. Morris alleged that Green overcharged him for fuel delivered to Morris’s two small-town gas stations during an eight year period.

Morris claimed that Green failed to transact business pursuant to their contract, and as a result, Morris suffered economic damages of $1 million dollars arising from overcharges and a failure to share profits as specified by their contract.

At first glance, both parties appeared to have inadequate documentation of fuel deliveries and payments.  The only documentation maintained by the gas station owner, Morris, was some sparse paper receipts and logs regarding fuel delivery.

Moreover, Morris’ stations used unsophisticated point-of-sale cash registers and did not utilize a computer system to maintain accounting records or other records of fuel deliveries.  Morris said in his deposition testimony that he relied on Green to keep detailed records of fuel orders and deliveries which allowed Green to overcharge him.

Green’s documentation of fuel deliveries was only slightly better than Morris’. Although Green used an antiquated DOS-based computer system to maintain limited accounting records, Green’s management vehemently maintained that no electronic record existed of fuel delivery or receipt of payment.

Left with such sparse information to determine losses, the attorneys for both parties were highly doubtful that any meaningful analysis of the transactions could be conducted.

The Green case epitomizes not only the challenges faced in extracting useful forensic evidence in small business lost profit cases, but also the need for persistence in seeking ESI.

The ESI challenge is rarely accomplished through force or the use of highly technical jargon; rather, success will come through an understanding and observation of the key personnel’s daily routines, which we’ll discuss in next week’s post.

Adapted from:  “Unlocking the Potential of Electronically Stored Information in Damages Cases.”  Dunn on Damages – The Economic Damages Report for Litigators and Experts 4 (2011): 20-21.  For more information, visit

Unlocking the Potential of Electronically Stored Information

The unsophisticated, unorganized small business is all too familiar – paper records yellowing from age, the vanilla box computer that only reads a five-inch floppy disk (remember those?) and of course the green font tube monitor!

Think twice before you assume that an unsophisticated small business cannot possibly have any useful or accessible electronically stored information (ESI).

Consider this question:  does the business have any printed documents?  Most of the time the answer is yes and chances are those documents were created by some form of technology that potentially possesses valuable ESI.

The quest for relevant forensic evidence in determining damages, especially lost profits, in a small business usually presents unique challenges in retrieving and utilizing ESI.

In fact, many small business owners and managers, as well as their attorneys are unaware of the types of ESI available that could be the key to their case.  Persistence, creativity, and knowledge are necessary to unlock the potential of small business ESI.

Three primary challenges are often encountered with small business ESI:

  1. The information may be stored, entered, or utilized on archaic hardware and/or software.
  2. The owner and employees may be unaware of the type and extent of data that is present on their system. They are often adamant that no useful ESI is available from their system because they have had difficulty or even failed in trying to extract information.  This leads the employees and the owner to conclude that relevant information is just not available.
  3. Small businesses generally have limited resources and their personnel usually do not have the expertise to extract relevant useful data from an outdated system.

Next week, we’ll blog about a true case example that demonstrates how these challenges can come into play with small business ESI.

Adapted from:  “Unlocking the Potential of Electronically Stored Information in Damages Cases.”  Dunn on Damages – The Economic Damages Report for Litigators and Experts 4 (2011): 20-21.  For more information, visit