Legal Bytes

Tiger Woods, Holidays, LinkedIn.com, & Digital Forensics

Happy Holidays.  I hope everyone had a safe and fun Thanksgiving.  My personal approach to the holiday season is to treat everything like I am on the old TV show “Candid Camera” and just laugh.

With Christmas Season starting approximately 2 months ago, I shouldn’t have to remind you (but I will) to use CAUTION with emails, pictures, postings, and of course, voicemail messages.  Believe it or not, when the time is right, these will all be used against you.

Voicemail messages?  Yes, for anyone that hasn’t heard the clip, it appears Tiger Woods called a mistress and asked her to remove her name from her cellphone so that his wife couldn’t identify the caller.  Make sure your clients and employees know that The Lorenzi Group (www.thelorenzigroup.com) can recover live and deleted voicemails.

I had lunch with Manny again, he always wants sushi!  Is anyone using his software tools?  Let’s hear from you.  If you aren’t, please let me know why.

Along with Santa, Hanukah Harry, Kwanzaa Kevin, and Ramadan Richie, CMR217 is coming to town, at least in Massachusetts anyway.   Supposedly, May is the deadline, of course, they have changed the deadline a few times, so who knows.  Does anyone really know?  Regardless, what have you been doing to get ready?  If you’re legal counsel or a CPA professional, have you discussed this with your clients?  Is YOUR office safe? 

Attorney Cam Shilling from McLane (www.mclane.com) and I had a great time working with Karina Drumheller from UNH Professional Development and Training (www.unh.edu) on their Annual Conference – Leading in Times of Change.  We presented on the changing Digital World from an employers’ perspective and how to protect yourself, your company, and your employees.  We had a shill in the audience (Marc) and the biggest comment he made afterwards was that companies still have a long way to go.  Marc felt that the questions were great but showed an overall lack of corporate preparedness.

Is there a Lit Support/Legal Vendor/Attorney job board for local openings only?  If so, please post.  I’m not talking about Monster.com or something that focuses on the world.  I am looking for an easy to access and use website that we can all post to, similar to Craigslist but more organized and only for people being laid off or starting new firms.  If not, there should be.  If so, (again) please post it and I will let people know about it.

ALSP has their monthly lunch and learn on Thursday.  Are YOU going?  If not, why?  These are great opportunities to meet with peers, learn something new, and get out of the office.  If you are not networking now, when you need your network, it won’t be there (HINT HINT lawyers and lit support professionals).

Kevin & Jeff over at Boston Litigation Services (www.BostonLit.com) have launched Chicago Litigation Services (www.ChicagoLit.com).  Things seem to be going very well for them.

Jim Berriman and his team at Evidox (www.Evidox.com) are cranking along as well.  The last call I got from them was to assist them on a project in NYC.  I love NYC.  (NOTE: The Lorenzi Group did the collection on the SAME day)

Jim Gardner has moved over to Key Discovery (www.key-discovery.com).  I spoke with him about 3 weeks ago and am just remembering I owe him lunch.  We were discussing their approach to the Boston market and what the next year is going to bring.  It sounds like they have a focused plan.  I hope he can execute on it.

I spoke to my friend Ari Kaplan (www.arikaplanadvisors.com) the other day.  He has been busy traveling the country helping firms educate their attorneys on the process of networking and business development.  If you haven’t met him or attended a seminar, look him up.  He takes the scary concept of professional networking and breaks it into little steps that are actually achievable.  Remember, if you build your network now, when you need it, it will be there (see ALSP above).  SIDE QUESTION: Are YOU on LinkedIn (www.linkedin.com)?  If not, why?  If yes, are you and I linked?  Along those lines, when is the last time you checked your profile on Avvo.com (www.avvo.com)?  You might want to.

By the way, what does LinkedIn.com let you do?  Why is it a big deal?  LinkedIn.com allows you to connect with other people quickly, often with a warm (personal) connection.  Obviously, LinkedIn.com allows you to see where friends and past colleagues are working.  However, the search tools can help you find new employees, witnesses/ex-employees of clients (or opposing parties), expert witnesses, new contacts locally, contacts in other areas of the country/world, and more.  If used correctly, LinkedIn.com can be a powerful tool that can connect you to people you want to meet (example: Rob knows Brian over at Genzyme (www.genzyme.com), it would help my case or help my client if I could talk to him, let me call/email Rob), and allow people to meet you.  HOWEVER, there is a caution.  The caution is that LinkIn.com can also allow employees to walk off with client contacts and more.  Be sure to have an appropriate acceptable use policy in your office.

Let’s talk digital forensics for a minute (one of my favorite subjects).  Everyone knows we have upgraded to FTK3.  All for all, I am loving it.  I think it is still scaring Jason a bit; lots of colorful buttons (sorry, J).  If you are looking at FTK3, start planning now to upgrade to 64 bit machines.  We have been working with Tony and Jason in Tech Support at AccessData (www.accessdata.com) and are learning that speed can be improved on that platform.  The Tech Support team there must HATE me because I call with some of the most inane questions, but I want to know if FTK3 really is as good as AD says it is.  So far, no complaints. 

Actually, that is not true.  Here are my 2 complaints so far: 1) FTK3 needs to increase the size of the reports it can generate.  This is EXTREMELY frustrating as it takes a long time to generate large reports and if the report generator crashes, you have to start over; 2) Ongoing logging of information has to be better.  When the reports we were generating crashed, there were no logs created – what’s up with that?; 3) Users should be able to restart report generation.  Maybe reports could be broken up into fixed sizes prior to generation and delivered in chunks, similar to their automated data carving and indexing.  (Yes, I did write 3 complaints, glad to see you noticed.)  Did you know it handles Macs, too? 

Speaking of Macs, Derek over at Blackbag (www.blackbagtech.com) had us beta some new tools that are part of their suite, and they were, well, sweet.  Derek, thank you for letting us Beta Test and for the great support you have been giving us.

ASR (www.asrdata.com) released a new version of SMART.  Andy and I have been friends for a long time (in a digital forensics sense).  One of the things I like is that his software runs on anything that has a CD reader.  Plug in the dongle, load the CD and you are ready to go.  I expect to be testing this over the next few weeks, but with the holidays here, it might not be until the end of the month. 

PRESERVATION QUESTION: What do you do to protect yourself when an attorney is hesitant to request electronic evidence to be forensically preserved?  (Yes, amazingly, this is still happening)

Is there anyone willing to discuss digital forensic pricing?  I have been seeing some WILD claims about how expensive computer forensics is, and this concerns me.  Recently I have had conversations with competitors about their pricing models and have heard everything from flat daily rates to per GB rates to hourly rates.  I am not so upset with HOW it is priced but WHAT it is priced.  Some of the models seem absurd to me.

Nationally, we have seen PI Associations push for legislation that computer investigators (I like to say analysts) be regulated by the state under the State PI Associations.  I agree that we should have some type of regulation; however, I don’t think PI’s really want a bunch of tech-savvy geeks encroaching on their space.  I know I don’t want The Lorenzi Group employees to be tailing a cheating golfer, I mean spouse (sorry Tiger), 8 hours a day.  What are YOU doing to protect your business and make sure State PI Associations don’t push their agenda?

I’ll probably post one more blog by the end of the year.  If anyone has comments or ideas feel free to post or email me.  Enjoy the season, stay busy, stay profitable, and stay safe.  – Rob

Digital Forensics STOP!... and Go

As you know, The Lorenzi Group recently upgraded to AccessData’s new FTK3.0.  Over the past week or so, we had a few crazy issues arise, mostly on our side.  However, there was one thing that frustrated me like mad: FTK Crashes. 

In FTK 1.7 and 1.8, there are problems.  We still like, and use, these versions, however, if something isn’t “just right” – say the Red Sox lose a game, or an image isn’t perfect, or it’s not a waning moon, or… god only knows why, FTK will crash while it is Processing the image (average time: 24-28 hours to process a drive). 

BTW: We use the term Processing to describe to technophobes what the machine is doing.  Others will say Data Carving and Indexing, if that makes you feel bigger in your britches, go ahead and say that instead.  

Anyway, as with ALL rules of Murphy’s Law, this crashing typically happens when there is a critical timeline that needs to be met.  Often, we find out later that a file or drive sector is corrupted within the image and we need to skip over it – however, we must start the entire Processing of the drive image over – Another 24-48 hours of time wasted.

This past weekend, we ran some images through FTK3.  One of them, CRASHED!  Ugh.  Besides the nice pretty colors and tabs in FTK3, I wanted to see some real data.  These were supposed to be images of heavily used, not well maintained, machines.  I was not happy.  Explaining to an already suspicious and anxious client why their data isn’t ready to analyze and why the processing failed can be difficult, to say the least.  However, much to my excitement, when I when to restart the image processing, instead of having to start from the beginning, I was able to begin processing from where it left off! 

This is HUGE news in the digital forensics world. 

Why we haven’t been able to do this before, I don’t know.  In my mind, if a software download over the internet can be interrupted and restarted, I never understood why Processing couldn’t either.  So, instead of restarting the image Processing from scratch, I CONTINUED the image Processing.  There was enough time to complete the processing and let us review the data before the weekend was over.  And, because of this, TODAY, the client thinks we are heroes!

NOTE: THIS WAS SUPPOSED TO POST ABOUT A WEEK AGO – Unfortunately, a little thing called real life got in the way…

Digital Forensics Christmas in September?

Excitement is running high over at The Lorenzi Group (www.thelorenzigroup.com).  Access Data Corporation (www.accessdata.com) has just released FTK 3.0 – and this is BIG news.  FTK 3.0 is publicly taking digital forensics main stream.  FTK 3.0 is promising new features that have been needed by digital forensics analysts for years.  At the same time, Access Data is putting themselves and their product out on a limb.  If FTK 3.0 doesn’t work like it’s supposed to, Access Data will have a second FTK PR nightmare on their hands, and that could spell disaster for the company.

After re-upping our licenses yesterday afternoon, we downloaded the FTK 3.0 software.  Jason Dana, at Lorenzi, is preparing to install the software later today.  We are excited about FTK 3.0 because of where we see Access Data taking digital forensics.  One of the most frustrating things for analysts in our industry is the lack of functionality within vendor solutions.  If we tell clients that data is data (which we do), why don’t vendors treat data like data?  Vendors have historically built solutions around “platforms” – Windows, Mac, Linux, UNIX operating systems.  I am not talking about a solution built to run on operating systems, I mean historically, computer forensics software vendors have built:

·         Windows Forensics tool

·         Linux Forensics tools

·         Mac Forensics tools

·         iPhone Forensics tools

Why?  Data is data, right?  1’s and 0’s look like 1’s and 0’s, no?  Why can’t a Windows forensics tool interpret a UNIX file or iPhone file? 

E-Fense (www.e-fense.com) has a nice package.  The Helix product has worked well.  It has been a field agents’ friend for many years.  The new Helix Pro product can even handle some mobile phone forensics (very cool).  ASR Data (www.asrdata.com) has SMART.  I have been both an Andy Rosen and SMART fan for a long time, and still am.  Andy continually comes up with new ways to view, manage, and conduct digital forensics, and has been the closest I’ve seen to true digital forensics.  BTW: What’s the difference between computer forensics and digital forensics?  In my opinion, it is how the data is seen, understood, and utilized.  I have held multiple discussions with Andy on creating an all-encompassing solution.  We also utilize Paraben (www.paraben) forensics tools in our lab.  Paraben has been able to stay on the cutting edge with mobile phone and network forensics.  The new FTK 3.0 could prove a challenge, moving forward, though.  For Mac forensics, Blackbag Technologies (www.blackbagtech) just sent us some updates to try out on Mac drive free space.

Access Data is now in a unique position.  They had a difficult time with 2.0.  In fact, The Lorenzi Group has continued to rely on FTK 1.8, even though we have a 20TB SAN network that could be utilized.  Any time new software is released, we like to test it first.  Our current plan is to load the new FTK software on machines that run FTK 1.8 and run some comparisons.  One of the neat things I am looking forward to is testing the Mac forensics capabilities.  To run our tests, we will be using a test case and a live case in running in parallel with FTK 1.8.  Our plan is to also load and run FTK 2.2 and compare results with FTK 1.8 and FTK 3.0.  Additionally, we will be running our results by the other software packages we have to compare findings and ease of use.  The time has come for vendors to offer complete solutions, to move from COMPUTER Forensics into DIGITAL Forensics.  Have we arrived?  Is it Christmas in September?  I don’t know, but we are going to find out.

Boston Area Hyatts - Was There a WARNing?

I'm not sure I fully understand why Hyatt Hotels let go of their housekeeping for outsourced help.  As a business owner, it is easy for me to see that expenses need to be tightly managed.  However, unless the entire housecleaning staff was incompetent, I can't imagine that tricking staff into training their replacements is going to be a financially sound idea.  As I continue to read about the Hyatt Hotel "switcheroo", I have to ask:

·    Is the laying off 100 or more employees considered a mass layoff? (No pun intended)

·    Does this adhere to the Federal Workers Adjustment and Retraining Notification (WARN) Act?

If 100 housekeepers are not considered a mass layoff and all the proper federal and state WARN act steps were taken, then these layoffs are just a cold fact of the economy today.  However, if this is considered a mass layoff, someone is in trouble.  It may be Hyatt by not properly notifying the Commonwealth.  Or it may be the Commonwealth of Massachusetts, not wanting to deal with any more disappointing economic news. 

What intrigues me the most is that this was not a decision made at the lower management levels.  Most likely, this decision has been discussed and reviewed and analyzed for some time within the Hyatt organization.  And that is where computer forensics comes in.

If it is ultimately decided that something fishy occurred and the Commonwealth or a civil rights group on behalf of the housekeepers brings suit, make sure to ask for the emails, financial projections, and other data that were used to make the decision to terminate the housekeepers.  If it were me, I'd be interested in data created or shared with hotel managers, regional managers, HR, in-house counsel, and other executives.  If the Commonwealth is not involved in bringing the suit, be sure to ask them for electronic communications as well.  The data you want will be both live and deleted, so print out copies won't work.  There seems to be more to this story than meets the eye, so good luck.

BTW: If you are a WARN act expert or have additional information, feel free to share your opinion here.

Tiptoeing Around the Invisible Elephant

Last month I was involved in an information exchange regarding data storage amongst some industry insiders.  Based on the reactions I received from my letter, I think it is important to open up and share.  Please feel free to share your thoughts and how your organization handles these issues.

NOTE: The premise of the question I responded to was how firms are handling the expense and risk of data storage.

My Response:

This is a GREAT question and one we have debated internally for years.
Let me share with everyone our experience and hopefully it will help you
make a better decision. The Lorenzi Group is a digital forensics firm.
To explain what we do at a high level, we are hired to forensically
harvest electronic data, restore it, analyze it, and report on it.

When we first started out, we thought that charging clients for data
storage wasn't necessary. Truth be told, we didn't even think of it
until someone asked the question and we quickly dismissed it. After a
while though, we began to see a repeat pattern/bad habit occurring.
Cases would last for a long time AND when they were finally resolved, no
one would tell us OR (worse) we would know the matter was "resolved" (I
put in quotes the word resolved because of the age-old question: Is a
matter ever REALLY resolved?) but were instructed to continue to hold
the data.

For small cases and small amounts of data this wasn't too bad. However,
once our insurance carrier understood what we were doing, they wanted
more protections in place (rates went up). We also found ourselves
needing more storage space. At first, we just added hard drives. Then
we needed to buy additional storage devices, moving from a network to a
NAS environment to a SAN environment.

Our initial step was to charge a nominal fee to hold data. I didn't
want to charge per GB, b/c that seems inherently unfair to me. There
are always questions about actual size, compression, and a monthly rate
$50 or $100/GB seems outrageous to me. If we have a 100GB hard drive or
100 PST's @ 1GB each (skipping the "compressed or not" AND "attachments
or not" questions) that would be $5,000 - $10,000/month! YIPES!

So, we went with a flat fee approach. Initially, it was $50 per media
per month. This worked really well for a long time (or so I thought).
Once the recession hit, clients stopped paying the monthly fee. I would
call them and they would say, "Rob, it's only $50, we're going to wait
until it accumulates before paying it." or something else to that
effect. Seriously. And you know what? They were right, $50 per month
per media was too small to think about.

After I began analyzing it, we were spending more money on storage than
we were being paid. This $50 did not include: time spent on
collections, increases in insurance, or time maintaining the storage
devices and network. The most simple calculation (for the IT-minded
folks this is strictly to be used as a starting point, not a religious
decree): 500GB internal hard drive = $100. If it is stored in a SAN
device, you need to add in the appropriate percentage of overhead
maintenance costs (electricity, network, FW, IT support, etc), and don't
forget the collections time. Therefore, $50 per month per media was a
joke and had to go. As I struggled to find a better solution, I spoke
with people from many different industries and some everyday examples
came to light. Let me share:

* $36/day to park a car in Boston (more at the airport)
* $25/day to leave a car at the auto mechanic
* $100/month for a self-storage container
* $5/day for clothes at the cleaners

AND REMEMBER: Not one of these comes with any guarantee of protection,
security, or safety. If you are holding data, there are specific legal
and financial requirements that must be met. Even if the client does
not pay, you may not be (are not) allowed to delete the data or post it
to the web - even though you may WANT to! ;-)

So, we came up with another pricing model that we have been using. In
this model, we no longer worry about collections expense, there are
little to none. With this pricing model, all parties are aware of the
cost of data storage up front.

And this pricing model can be YOUR for just $599! If you act NOW, I'll
throw in pricing models for all sorts of other services! LOL ;-)

Back to the pricing model, this is our new model:

We charge a flat rate per media for data storage (NOTE: If the storage
goes above 500GB per media, we alter the pricing). If the client agrees
to EFT payments (instead of us chasing them to be paid), we reduce the
flat rate SIGNIFICANTLY. The fact is, I don't want to be in the data
storage business but due to too many things to list here, we need to be.
Storing data for clients is a hassle and a constant liability that all
of our employees need to be aware of (and constantly reminded of). At
the same time, I want the client to see value in what we are offering
and to understand that it is in their best interest to not allow the
legal matter to linger. This pricing model allows the client to see how
much they are spending on necessary data storage, reduce their payment
significantly by pre-paying or using EFT, and continues to keep them in
control. At the same time, we are able to properly store the data,
don't have to chase clients for "small dollars" (By the way, many
business organizations and law firms have the greatest financial leaks
in "small dollar" services), and maintain a revenue stream.

I am always looking for better ways to run the business. If someone
else has a different perspective or idea, I would love to hear it. My
feeling is that Data Storage is the invisible elephant in the room of
legal costs. No one wants to address it, but if it isn't addressed,
some firm, some company is going to crash hard because of it.

Professionally,

Rob

So, what’s next?  I don’t know.  What I know is that I received 3 types of responses.  The first were private emails sent thanking me for posting some concrete information about how we are dealing with this problem.  The second were private emails sent from vendors offering alternatives – I have touched base with some of them, however I still need to contact a few.  The third?  Silence.  No post or reply, no one offering an alternative solution.  The silence makes me think that people haven’t been thinking about this issue.  The problem is that if your organization isn’t addressing data storage creep now, two or three years from now you will be stuck buying another large storage solution with no one to bill it to.  What do you think?  How do you manage data storage expenses?  Feel free to post your ideas here or contact me directly.

Wet Your Pants & Suck Your Thumb

IT’S OFFICIAL!  Thumbsucking, podslurping, and sneaker-grabbing have become everyday lexicon in IT departments.  And if you don’t know what these terms mean, this is for you! 

All of these terms describe ways employees are walking out the door with confidential information.  Thumbsucking uses USB Thumb drives to copy data allowing for information transfer at a later date.  A typical example of a “Thumbsucker” is the employee that is always using thumbdrives to carry information around.  Worse are the “Thumbsuckers” that continually ask for new thumbdrives or often lose them. 

The ever present iPods are excellent cover for listening to music while copying anything from contact lists to document files…. all at the click of a button.  “Podslurpers” are funny.  They want to be able to download and listen to music on their iPod.  They simply connect their iPod to the work computer and work away… at downloading your data.  It appears they are working and enjoying some tunes, however, that may not be the case!  An iPod can hold up to 360GB of data, and any type of data – songs, pictures, spreadsheets, CAD drawings, you name it.

Amazingly, even good old fashion “sneaker-grabbing” corporate theft is on the rise.  “Sneaker-grabbing” refers to the age-old art of printing out confidential documents and walking them out of the building.  Unless you have a print server that logs activity, you may never know how much info someone has taken. 

Knowledge-based workers can drive companies to success.  If you are not managing and protecting your corporate knowledge, you risk losing a competitive advantage, potential patents, prospective partners, and your business.  Employees are the number 1 conduit of confidential information leaks.

For Organizations - Things You Can Do TODAY:

1)      Review corporate policies regarding confidential information, data storage, and data access.

2)      Inform employees of your policies.  Require them to sign appropriate non-disclosure agreements.  Strictly police and enforce your policies.

3)      Asset tag equipment – including USB Thumbdrives. 

4)      Only allow company-owned equipment on your network – NO EXCEPTIONS!

5)      Install network monitoring tools to identify abnormal user patterns.

6)      Consult with legal counsel to discuss options for better protecting your data as you grow.

These basic steps can protect you, your company, and your employees AND allows the company to focus on important things like generating revenue and servicing customers.

For Attorneys - Why This Is Important to Litigation & eDiscovery:

Thumbsuckers, Podslurpers, and Sneaker-grabbers exist in every organization.  The trick is to figure out whom they are AND if they are relevant to the litigation.  When initiating Litigation Hold notices to opposing parties, make sure to CLEARLY state that all files should be preserved – including registry files and network monitoring logs.  Often opposing parties will preserve only what THEY think is relevant.  If counsel doesn’t know to ask for network activity logs and registry info, critical data can with-held or lost. 

Many times we have seen attorneys realize too late (at the end of the discovery process) that Intellectual Property, customer lists, financial data, or other information was taken by the opposing party; however the attorney only requested from opposing counsel emails and document folders making the evidence of how the data was taken unavailable.  Don’t let this be you. 

Yea, I'm Talking to You... Punk. Are YOU Being Cyber-Bullied?

If you’ve been following the national news lately, you’ve seen articles and programs on teens and cyber-bullying.  To bring everybody up to speed:

CYBERBULLYING is the act of using the telecommunications (internet, mobile phones, PDA’s, etc.) to harass, terrorize, intimidate, trick, embarrass, or influence individuals.  NOTE: SEXTING falls in this catagory.

The basic idea is that pictures and recordings of an individual or group are posted online.  These pictures either show the victim in a suggestive or compromising position.  By the time the website goes live, how the bully obtained the pictures is irrelevant but typically the individual was coerced or, more likely, the pictures or video themselves are doctored so people will see what they want to see.

Many of the programs mention websites like Myspace.com and Facebook.com.  Of course, there are other sites that can be used, as well as the possibility of posting stand-alone sites.  This is a growing problem throughout America and, for now, there is little more that can be done, than educating children BEFORE they go down this path.

The real problem happens after the bully is found out.  What kids don’t understand is that this type of activity is criminal and could lead to very serious, long-term consequences.

What does this mean for corporate America?

It means a lot.  First, we are beginning to see this type of activity creep into corporate America.  Peers and employees are beginning to see the face of cyber-bullying first hand, and with it all the legal proceedings that come with it.

Secondly, the question of liability ownership (and who will pay in the civil suits to follow) arises.  Not only will the revealed bully be in trouble but you could be too.  The answer will come down to: How proactive are you in maintaining your company owned technology equipment? 

The follow-up questions to that are:

• Are the children of employees using company-owned computers, cell phones, or PDA’s? 
• Does the company require employees to read and sign fair usage policies? 
• How does the company monitor employee activity? 
• What tools proactively identify potential problems?

Our experience shows that employees do not understand how much data can be recovered (and used against them).  With the explosion of cyber-bullying in schools and its creeping into corporate America, we strongly recommend that employers consult with their legal counsel to develop a strategy that mitigates cyber-bullying in the workplace and protects their organizations, their employees, and themselves from criminal and civil suits.

Kindred Spirit

The other day I went to lunch with someone who worked in Litigation Support for McDermott, Will & Emory.  After the initial pleasantries, we started walking down to a restaurant he knew of.  Manny asked me to explain (again) what it is we do and why it’s different than anyone one else.  (Basically, he was telling me that my company was just another commodity – thanks Manny!)  ;-)

Before I jumped into another explanation, I thought about the question.  In that split second, I realized the services my firm offers DO NOT MATTER!  Manny is a smart guy (we will get to this in a minute), so I am sure he knows more than a handful of individuals and companies that can forensically harvest data and analyze it.  What I replied to Manny was this: the Lorenzi Group is a digital forensics consulting company.  But THAT is irrelevant.  What is interesting about us is how we approach the business.  At this point, I asked him a question: Why does everyone make our business so difficult?  He asked me to explain.  I told him I was frustrated with the fact that the Legal Services & Support Industry make things complicated.  In an effort to hide from saying “I don’t know”, we’ve developed inconsistent and vague vocabulary.  I pointed out that pricing models are outdated and not realistic to the needs of today.  I suggested that vendors don’t build compatibility into their solutions… and this one of the reasons eDiscovery has taken so long to get off the ground.  I think I saw him smile.

Manny is an interesting guy.  He came from another area of the country where Litigation Support and eDiscovery were quickly becoming a way of legal life to New England – possibly the last place in America to adopt and consume eDiscovery.  He has seen first-hand, what it takes to build great teams and execute efficiently.  He understands the economics behind Litigation Support as a revenue center… and his firm is reaping those benefits.  One of the great things Manny has done is share some of his frustrations.  Some time back, Manny, being Manny, became frustrated enough to do something about it.  He started using his mad (note: feel free to change to “wicked awesome” or other regional slang) programming skills to develop tools to help him do his job.  Then, out of the goodness of his heart, he posted them on his website: www.ninosystems.com  And THIS is why I wanted to eat lunch with Manny.

As we ate lunch, we discussed many different topics.  However, they all revolved around creating standards and making it easier for Litigation Support, Vendors, Expert Witnesses, and Clients to work together.  One of the big changes I see coming is a shift in how organizations utilize their legal counsel.  With IP increasingly becoming the most valuable asset, especially in the SMB market, relationships between client and counsel must become tighter.  The easiest way for this to occur is to have more frequent 1-on-1 communication between clients and counsel without billing (and therefore COSTING) an arm and a leg.  It is in OUR best interest, as businesses and industry participants, to make sure this happens. 

At lunch, I felt as though I had found a kindred spirit, of sorts.  Although we work on opposite sides of the fence (so to speak), we both believe that the more we can remove the fence and the more we can trust each other, the easier it will be to work in this industry and provide true value to our clients.  The Lorenzi Group is doing this by defining services, creating intelligent pricing models, and educating clients.  Manny and his team are doing this by asking the difficult questions, developing solutions, and asking for feedback.  And, if you haven’t already, check out www.ninosystems.com for some great (free) lit support tools.

Preservation is Key

The other day, I received a call from a new client telling me that he needed our services.  This was an attorney that we had met at a presentation on digital forensics.  He seemed anxious as he discussed with me the matter.  Here is the synopsis:

An employee of his client quit and went to work for a competitor.  Not only that, this happened a few months ago and it now looks like another employee of the client is helping the ex-employee… possibly getting ready to leave.  (NOTE: This is standard MO.  When 1 employee leaves, almost always another will follow a few months later.)

At this point in time, I asked the attorney 3 questions:

1.       How quickly can we make forensic images of the computers used by the ex-employee and existing employee?

2.       How quickly can we make a forensic collection of the company email store and network drive?

3.       Can we have a copy of the clients’ corporate Employee Acceptable Use policy sent to us?

The attorney, sounding a upset, continued his story.  He told me that the company doesn’t have a strict email policy and that many employees use gmail or hotmail accounts instead of the company email.  He also went on to say that the computer the ex-employee used was “recycled” to another employee.  Fortunately, though, the IT department used Norton Ghost to image his machine before they reformatted his hard drive and gave it to someone else.  (NOTE: This is a VERY typical, and unfortunate, scenario.)

The attorney was calling us because he remembered the presentation and that we could restore deleted data and review emails and he had an image… so he thought.

I explained to the attorney that we would do what we could, however, there were going to be some significant hurdles.  The biggest hurdle was that the Norton Ghost image was not a forensic image, it was a copy of selected live data using non-forensic tools by an individual that is inherently biased, as he worked directly for the client.  I explained to the attorney that we could take a forensic image of the existing employee’s computer and work with that.  I also explained that using webmail accounts, can create additional issues for both email reconstruction and identifying account ownership.  After discussing these issues with the attorney, he asked me what could we do with the evidence that was left.  These are the steps I gave him:

1)      Forensically image the computer used by the existing employee

2)      Review the data from Norton Ghost

3)      Forensically image the recycled computer (not likely to obtain results, but protect form any further damage)

4)      Review network storage for any activity

The BIGGEST thing to remember is that to be preserved, data needs to be forensically imaged.  It is critical that when employees leave, data be properly preserved – even if the client doesn’t suspect a lawsuit will arise.  Some of the lawsuits we have seen arise AFTER an employee has left involve:

·         Breach of Contract

·         IP Theft

·         Sexual Harassment

·         Discrimination

·         Financial Mismanagement

Forensic preservation of electronic data is important for both eDiscovery and MEDiscovery.

E-Discovery is OUT, ME-Discovery is IN!

I was recently at an ECA (Early Case Assessment - for the acronym weary) presentation in Boston.  The neat thing was that there were many vendors in attendance.  Oftentimes people complain about this.  However, I found it very interesting to chat through lunch with the other attendees, listen to the presentation and the questions that were being asked.

As it is, I happened to agree with much of what the panel was discussing.  However, that's not what this blog is about.  After attending the event, I started to think more about ECA, lawyers, and their clients... and I've come to a conclusion: MY e-Discovery is more important than YOUR e-Discovery.  That's right.  If a party in a lawsuit is fully aware of the data they have BEFORE sinking neck-deep in a lawsuit, they can make educated, financially-driven decisions on how to handle the suit, using hard data to back them up.  The real question is: How is this accomplished?  Here are some of my thoughts:

1) Law firms need to move away from their historically siloed services model and create environments where employment, litigation, real estate, patent, contracts (and more) work together to provide "client-best" services.

2) Law firms need to embrace technology solutions and assist clients in making transitions into streamlined data management.  Psst!  Here is the trump card - when clients become parties to lawsuits, they rely on their lawyers, not IT personnel or accountants, to protect them.  Clients will listen to their attorneys.

3) Clients need to be encouraged to embrace technology solutions that will capture critical data.  This can be accomplished through direct conversations between legal counsel and their clients.  Off-the-shelf data segregation and network monitoring tools currently available today can help.

So, will these ideas take off?  I don’t know.  What I know is that clients are already frustrated with the amount of time and money litigation can take.  Many clients have been mis-educated on the legal process and do not understand how litigation works.  I also know that many law firms are looking for new ways to provide value-added services to clients.  I propose that we stop worrying about the information and data the other side has until AFTER we know what we have.  Let’s save clients money and put the ME in E-Discovery.  If law firms, their vendors, and clients can work together there will be ample opportunities to thrive.