eDiscovery Daily Blog

Standardizing the Non-Standard Digital Forensics Protocol, Sort Of: eDiscovery Best Practices

Leave it to Craig Ball to come up with a proposed form examination protocol for performing forensic examinations.  And, leave it to Craig to teach you what you need to know to use and adapt such a protocol.

In his latest blog post on his Ball in Your Court blog (Drafting Digital Forensic Examination Protocols, available here on his blog and here on his site in PDF form), Craig discusses the ins and outs of putting together a forensic examination protocol, equating the drafting of such a protocol to “writing out the questions in advance” when taking the deposition of a computer or smart phone.  In an unusually long blog post for Craig’s blog (dare I say a “Losey-ian” length blog post?), Craig thoroughly covers the considerations regarding drafting a sensible forensic examination protocol (which, as Craig notes, “demands a working knowledge of the tools and techniques of forensic analysis so counsel doesn’t try to misapply e-discovery methodologies to forensic tasks”).

After introducing the topic, Craig properly and bluntly sets the expectation for many of the people he expects to read his post, as follows (in bold, no less):

“If you’ve come here for a form examination protocol, you’ll find it; but the ‘price’ is learning a little about why forensic examination protocols require certain language and above all, why you must carefully adapt any protocol to the needs of your case.”

In other words, you’re missing the boat if you just blindly try to apply his proposed protocol without understanding important concepts of forensic examinations.  Would you skip to the end of a movie to see how it turns out?  (I’m not sure that’s the best analogy, but it’s the best I can think of at the end of a long day)…  Regardless, you should take the opportunity to learn the concept so that you can apply it properly.

While each forensic examination protocol is unique, Craig identifies some common elements that examination protocols should share, among other things:

  • Identify the examiner (or the selection process) and the devices and media under scrutiny;
  • set the scope of the exam, temporally and topically;
  • Insure integrity of the evidence;
  • Detail the procedures and analyses to be completed;
  • Set deadlines and reporting responsibilities;
  • Require cooperation; and,
  • Assign payment duties.

Craig then proceeds to address various aspects of those considerations, covering aspects of forensic examination that you might not otherwise think of, such as: Who pays for it?  Should you direct the examiner to “undelete everything” or simply try to find potentially relevant files and files types?

Toward the end of the post, Craig then provides an “Exemplar Acquisition Protocol”, adapted from the court’s order in Xpel Techs. Corp. v. Am. Filter Film Distribs., 2008 WL 744837 (W.D. Tex. Mar. 17, 2008).  Of course, even the exemplar protocol isn’t perfect – it doesn’t address privilege and confidentiality concerns or forms of production, for example.  The key is to take what you learn during the blog post and customize a protocol that works for your case.

As always, Craig’s post is a great read – in this case, it equates to a 15-page PDF file with a preceding cover page – and is well worth checking out.  As a provider that offers forensic examinations for our clients, we would love to consistently have such a well-defined protocol!

So, what do you think?  How do you define protocols for forensic examination in your cases?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.