Unless Your Data Capacity is Unlimited, You Don’t Have Enough

Victor Limongelli From time to time an organization considering bringing electronic discovery in house will look at solutions that offer a fixed amount of data capacity for a fixed price --- say, 1 TB of capacity for a license fee of $200,000. Very often part of the prospective customer’s analysis is “How much capacity do we need”? The answer, unfortunately, is treated like a static arithmetic problem, with reasoning along the lines of “well, we average about 100 custodians per year, and our data per custodian averages about 8 GB, so if we buy 1 TB of capacity, we should be fine. Sure, we might get a few more custodians or a case with a bit more data, but we’ve built in a buffer in terms of capacity.”

Unfortunately, that type of analysis is fundamentally flawed because it vastly underestimates a key variable – the volume of data per custodian.

Looking at recent history, in the 2005 time frame it was common to see data volumes per custodian in the range of 1 GB. Nowadays, 8GB or 10GB per custodian occurs frequently. That is 8x or 10x the amount of data per custodian in a half-dozen years! If data continues to grow at that rate – and there is no indication data growth is slowing down – in six years data per custodian will be 50 GB to 100 GB! In other words, over the next half-dozen years, that 1 TB of capacity purchased for an in-house electronic discovery system will prove woefully inadequate, with 5 TB – 10 TB required – even if the number of cases and the number of custodians does not increase at all. That $200,000 software license will need to be expanded at least 5x, resulting in an additional license fee of $1,000,000 or more, and a total cost of ownership far in excess of what was originally planned. The situation, of course, will be much worse if the number of cases or number of custodians also increases.

That result is not surprising when one considers that, outside of the electronic discovery context, data volumes continue to grow, with no end in sight. The Economist reported last year that “The amount of digital information increases tenfold every five years.” Similarly, a graphical representation of the growth of data storage is available here.

Given the ongoing explosion of electronic data, and the uncertainty about future cases and custodian numbers, doesn’t it make more sense to implement a system that does not restrict the number of cases, the number of custodians, or the amount of data? One of the goals of bringing the electronic discovery process in house is to achieve cost certainty, so that the legal budget is not bushwhacked by the growth of electronic discovery. The way to do that is to insist on a solution that offers unlimited data capacity, unlimited numbers of cases, and unlimited numbers of custodians.

Victor Limongelli is president and chief executive officer of Guidance Software.

Introducing the EnCase Smartphone Examiner

Guidance Software We’ve already mentioned that EnCase® Forensic v7 will feature smartphone acquisition. But investigators can collect critical evidence on smartphones now with the EnCase® Smartphone Examiner.

The tool can help law enforcement, security analysts, and e-discovery specialists who need to review and collect data from smartphone and tablet devices, such as the iPhone and iPad. Investigators can process and analyze smartphone device data alongside other types of digital evidence within Guidance Software tools.

Guest Lecturing at Mike Berman’s E-Discovery Law Class With Chief US Magistrate Judge Paul Grimm

Patrick Burke Mike Berman is one of the pioneers of e-discovery law school education. He has been teaching e-discovery law classes at the University of Baltimore and University of Maryland law schools since 2008, longer than almost anyone in the U.S. Most law school civil procedure classes barely mention e-discovery, largely being taught by law professors with little recent practical experience litigating cases involving electronically stored information.

Last week I had the privilege to guest lecture at Berman’s University of Baltimore Law School class together with none other than Chief U.S. Magistrate Judge Paul W. Grimm. Berman and Judge Grimm have been friends for years and used to co-teach the class, now Judge Grimm has taken on the law school’s evidence course and guest lectures at Berman’s e-discovery class. Both focus on showing law students how e-discovery will affect their future practice of law, and how being ahead of the curve can help advance their legal careers. Judge Grimm advised the students that if asked in interviews what value they would bring to a law firm, they merely need to say “I understand Federal Rule of Evidence 502.” He expressed his conviction that it is mostly the lack of familiarity and comfort with computers by older lawyers that cause a great deal of e-discovery preservation problems, including failures to put agreements in place with adversaries to take advantage of FRE 502’s protections against privilege waiver, a failure which he considers often amounts to malpractice.

Berman caught on to importance of e-discovery early on, and then also to the importance of training a new generation of lawyers to do it better than their older (but not wiser) fellow lawyers. In addition to teaching and litigating, Berman counsels companies on e-discovery challenges and is available as a mediator or special master on e-discovery topics.

Check out Berman's blog here.

In E-Discovery, Forensics is Strength

Guidance Software We saw a couple items this week that caught our eye, and that together underline an inescapable truth. First, Craig Ball wrote an excellent article on anti-forensics, in which he noted that “[the fact that] a party has intentionally destroyed or altered evidence [is] alleged and proven with disturbing frequency.” He details how he uncovered spoliation in a particular case, and concludes that “anti-forensics is counterproductive,” but is something that counsel should be on guard against.

Second, we saw that Clearwell posted an explanation for its appearance in a published Order from U.S. Magistrate Judge Elizabeth Laporte in Datel Holdings Ltd. v. Microsoft Corp. Coming fast on the heels of the negative reference to Clearwell in the government’s brief asking for a stay of Judge Scheindlin’s Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency, a case in which the Declaration of the Director of the Freedom of Information Office at ICE went into great detail about the problems the government had run into with Clearwell, it undoubtedly was important for Clearwell to clarify what had happened in the Datel case. In this instance, Microsoft unwittingly produced portions of an email thread that Microsoft’s lawyers had listed on their privilege log. Microsoft’s counsel argued that the disclosure of the material was inadvertent, and was due to, as Judge Laporte put it in the Order, a “glitch” in Clearwell. As it turns out, Clearwell explained that the problem was really Microsoft’s, in that the software Microsoft used to decrypt previously encrypted content had truncated certain documents before they were loaded into Clearwell.

What do these two items have in common with each other? They highlight the critical importance of forensics technology – which can handle all types of data and all types of cases – in an in-house electronic discovery system. Certain vendors who, unfortunately, are forced to rely on the computer’s operating system to search and collect data have tried to argue that “forensics is overkill,” but nothing could be further from the truth. An in-house electronic discovery system based on forensics can find hidden data (which can be critical in trade secrets, IP, or fraud cases, or in internal investigations), and can handle encrypted data, so that you are not forced to decrypt in a third-party tool before entering the data into your e-discovery application. Why deploy a partial solution?

Certainly, given the data volumes and number of devices, forensics technology that can be targeted at potentially relevant data is critically important. But there should be no confusion – “forensics” does not mean that “full-disk” images must be taken. Rather, it means that the technology does not rely on the computer’s operating system to identify, collect, and preserve potentially relevant data, so that all cases can be addressed by the system without disrupting custodians; it means that all metadata is protected throughout the process, so that you don’t find yourself in the situation of the government in NDLON; and it means that hidden, embedded or encrypted data can be addressed within the system, so that you do not have to rely on other tools to “massage” the data before using your electronic discovery system. On that last point, EnCase® eDiscovery has built in integration with Microsoft’s RMS encryption tool – the encryption at issue in the Datel case – as well as built-in integration with other common encryption tools such as PGP, SafeBoot, Credant, Utimaco, Guardian Edge, etc. All kinds of cases, all kinds of data – that’s the strength of a forensics backbone in an in-house electronic discovery system.

Patrick Zeller is vice president of e-discovery and deputy general counsel at Guidance Software.

EnCEP Name and Logo Awarded U.S. Trademark

Jessica Bair In September 2009, Guidance Software announced the EnCase Certified eDiscovery Practitioner (EnCEP) program, creating the first e-discovery certification testing program. The EnCEP® program certifies private and public sector professionals in the use of the EnCase® eDiscovery software, as well as their proficiency in e-discovery planning, project management and best practices.

On March 29, 2011, the U.S. Patent and Trademark Office registered, as a certification trademark, the Guidance Software EnCEP® name and logo.

The mark certifies that “the electronic discovery services are provided by a person who has been trained in EnCase® eDiscovery software and has passed the examination and application standards which indicates the person has the skill and knowledge to provide the services.”

EnCase® eDiscovery is the leading e-discovery solution for the search, collection, preservation, and processing of electronically stored information (ESI). Earning the EnCEP® certification signifies that a practitioner is skilled in the application of the solution, to manage and successfully complete all sizes of e-discovery matters in accordance with the Federal Rules of Civil Procedure.

The EnCase® Certified eDiscovery Practitioner program was created with the input of industry experts, to meet the needs of our EnCase® eDiscovery users who are handling electronic evidence in both routine and some of the largest and most complex litigations of our day. Candidates who complete the EnCEP® program, and earn the designation, will have demonstrated their expertise in the leading edge EnCase® technology and methodology for the collection and processing of electronically stored information.

Over the past decade, Guidance Software has certified more than 3,000 computer investigative professionals with the globally recognized EnCase® Certified Examiner (EnCE) designation. The EnCEP® program similarly enables e-discovery practitioners to demonstrate their skills, training and experience in the proper handling of ESI for legal purposes.

Jessica Bair is senior director of curriculum development at Guidance Software.

Digital Forensic Analyst Uncovers Metadata Back-dating: Supports $1 Million Sanction

Patrick Burke David Klausner has joined the $1 million club – meaning the small group of forensic analysts who have uncovered evidence tampering serious enough for a judge to impose a million dollar fine. Using EnCase® along with several other forensic tools, Klausner, operating out of Redwood City, Calif., demonstrated to a federal court in Chicago that key evidence purposely had been backdated by turning back the clock on a PC before an original set of source code was overwritten and replaced with back-dated updated source code. See the decision here.

Klausner’s testimony also convinced US District Court Judge Sharon Johnson Coleman that computer hard drives, USB drives and zip drives were “wiped.” Klausner explained how he had discovered the wiping because the wiping tools leave behind a “fingerprint” that may be detected by certain forensic tools. The key witness later admitted that he used a wiping program and that the purpose of his wiping was “[t]o make sure that any files on there were not recoverable other than the ones that I put on there.”

According to the decision, the sanctioned company’s lawyers, instead of investigating the questioned authenticity of their key evidence, simply complained that the accusations were unfounded. Judge Coleman sanctioned the lawyers too: they must reimburse Klausner’s client for the cost of pursuing the investigation of the wrongdoing. Which places Klausner well into the $1 million club.

Premier Digital Investigations Conference to Return

Guidance Software Guidance Software will host the eleventh annual Computer and Enterprise Investigations Conference (CEIC), the industry’s premier digital investigations conference, May 15 – 18 at the Loews Royal Pacific Resort at Universal Orlando.

At the conference attendees can choose from more than 110 learning sessions, led by some of the world’s foremost experts in computer forensics, e-discovery, cybersecurity, and enterprise investigations. Attendees can create personalized schedules to focus on their unique interests. Every session earns Continuing Professional Education (CPE) credits and the e-discovery Lecture Track offers Continuing Legal Education (CLE) credits.

Other activities at CEIC 2011 include:

-- A track dedicated to EnCase® Forensic v7, an upcoming version of the popular digital forensics software, as well as tracks on e-discovery and cybersecurity

-- EnCase Certified Examiner (EnCE®) and EnCase Certified eDiscovery Practitioner (EnCEP®) exams offered to qualified attendees at no additional cost

-- Networking opportunities with peers and experts to preview the latest technology and services from leading providers in the exhibit hall.

Keynoting at the show is Eric O’Neill, subject of the 2007 film “Breach” for his undercover role in the capture of Robert Phillip Hanssen, one of the most notorious spies in U.S. history. Currently O’Neill is a founding partner of The Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessment, investigations into economic espionage, internal investigations, and background investigations.

Last year, a record 1,300 attendees joined the tenth anniversary of CEIC.

Follow CEIC on Twitter at www.twitter.com/CEIC_Conf. The Twitter hash tag for the 2011 CEIC Conference is #CEIC2011.

Visit the CEIC 2011 website for the agenda and to register at http://www.ceicconference.com..

Kim Peterson is the CEIC event manager.

Clearwell Gets Its First Case Mention

Patrick Zeller Since EnCase® has been used in hundreds of thousands of cases, and mentioned by name in over 70 reported decisions, we know a little something about the pride an organization feels when its software gets highlighted in a judicial opinion. Now getting mentioned in a brief filed in a case, as opposed to a reported opinion, won’t usually set hearts aquiver in quite the same way, but something tells me that Clearwell’s mention in the government’s brief asking for a stay of Judge Scheindlin’s groundbreaking Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency has nevertheless created some nervous excitement for them. First, Immigration and Customs Enforcement (ICE) highlighted that using Clearwell for FOIA purposes had already cost it over $300,000, and that “[c]ontinued use of the software will require an additional expenditure of funds in an unknown amount, perhaps in the hundreds of thousands, if not millions, of dollars.” Well, it may cost a large, growing, and ultimately unknown amount, but on the positive side at least “ICE was required to suspend many of the agency’s security protocols in order to allow Clearwell to run properly.” Er, wait, uh . . . never mind ICE, what about the other defendants? The FBI noted that it would be able to use Clearwell to process 79 spreadsheets, but that “Clearwell will be unavailable for future productions because it has reached maximum capacity . . .”

UPDATE (March 29, 2011): Last week we blogged about Clearwell getting mentioned in the government brief asking for a stay of Judge Scheindlin’s Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency. Supporting the government’s brief was the Declaration of the Director of the Freedom of Information Act Office at ICE, available here. It contains a number of bold statements such as: “[The ICE Office of the Chief Information Officer] decided that given the tremendous technical difficulties and huge expenditure of manpower . . . associated with operating the Clearwell software . . . the agency should abandon the Clearwell application and discontinue its use.” (Declaration at ¶ 14)

Thinking about the situation more broadly, it seems that Judge Scheindlin has an uncanny knack for issuing landmark opinions in e-discovery cases, but each of them highlights situations that others can avoid by using commercially available software that is suited for the task at hand – to collect and preserve potentially relevant data, thereby avoiding the problems of the defendants in the Zubulake cases, to issue and track legal holds and conduct online surveys of custodians, thereby avoiding the problems in Pension Committee, and to properly preserve metadata, thereby mitigating the problems in NDLON v. ICE. (As Judge Scheindlin noted, “[b]y now it is well accepted, if not indisputable, that metadata is generally considered to be an integral part of an electronic record.”) As we pointed out earlier, EnCase® eDiscovery is an in-house e-discovery system that can handle all types of matters, without disrupting an organization’s business or impacting its security protocols. Instead of capacity limitations, it has no constraints on usage. Instead of unknown future charges, it delivers cost certainty.

Patrick Zeller is vice president of e-discovery and deputy general counsel at Guidance Software.

Legal Hold . . . and Everything Else

Victor Limongelli We saw Clearwell’s announcement of its new Legal Hold Module last week, and we have to say we are in wholehearted agreement that full-fledged Legal Hold capabilities (Hold Notices, Auto-Reminders and Auto-Escalations, Online Custodian Surveys, and Automated Tracking and Reporting) are part-and-parcel of any comprehensive electronic discovery system for in-house use. Given the critical nature of legal holds in fulfilling preservation duties, this may seem obvious – and it’s why EnCase® has offered integrated legal hold capabilities for over two years now, since March 2009. Indeed, if a system claiming to provide in-house electronic discovery does not offer these capabilities, it should be summarily disregarded.

Of course, there is other – perhaps just as obvious – critical functionality for an in-house electronic discovery system. It goes without saying that any system must provide the in-house team with the means, broadly speaking, to collect data, process it, and view it. However, when looking at the specifics of available systems, it is clear that without full-featured capabilities in the following areas, an in-house electronic discovery system is a mere illusion, an abstraction, with the name “e-discovery” but without the means to actually accomplish the necessary tasks:

-- First, an in-house electronic discovery system should be able to handle all types of cases – there shouldn’t be a class of cases that it simply cannot act upon. For example, there are a set of cases – such as IP theft, FCPA, fraud, or employee disputes involving allegations of discrimination or harassment – in which hidden data may be critically important. Electronic discovery systems that rely on the computer operating system (such as Windows) can “see” only what the operating system presents to them, so this critical evidence can be missed entirely. Because of this, for an entire set of sensitive cases, systems that rely entirely on the operating system simply cannot be used. When choosing an electronic discovery system, why deploy a solution that can handle only some of your cases, when you can deploy a solution that can handle them all?

-- Second, an in-house electronic discovery system should disrupt the organization’s business as little as possible. Litigation is always somewhat disruptive, but the legal department and IT team tasked with gathering data are used to and can handle that disruption. What is crippling is when ordinary employees cannot focus on business because of litigation. Electronic discovery systems that rely on the operating system to find and collect potentially relevant data not only cannot find hidden data, but they cannot even collect files that are in use by the custodians – for instance, every custodian will have to exit from Outlook before you can search and collect their PSTs. Imagine the scenario for frequent custodians . . . good luck calling the CEO repeatedly to tell him to get out of Outlook, or calling the CFO over and over again to tell him to close his spreadsheet so you can search it – why deploy a solution that requires you to harass your custodians, when you can deploy a solution that does not bother them at all?

-- Third, an in-house electronic discovery system should offer the ability to enhance your position by cleaning up data before litigation strikes. There is a reason that the very first box in the EDRM is labeled “Information Management” – in order to reduce data volumes, cost, and risk, it is advantageous to get rid of outdated data, yet many systems claiming to offer in-house electronic discovery offer no capabilities whatsoever when it comes to cleaning up data from laptops, desktops, and servers. With EnCase® you can get rid of data that is no longer needed; why deploy a system that can focus only on the case at hand, when you can deploy a system that also offers the capability to identify and clean up problematic data?

-- Fourth, an in-house discovery system should be able to process your data without missing potential evidence. For instance, suppose you want to run a compound search – say, “(dog or cat) w/5 (house or tree or yard)” – across your custodians’ data, and a key custodian sent an email that had as an attachment a zip file, in which there was a Word document, and in that Word document there was a spreadsheet, and in that spreadsheet there was a PowerPoint presentation . . . there are so-called electronic discovery systems being marketed today that would not search that PowerPoint presentation at all – with embedded documents, they only search two or at most three levels deep, and they don’t even tell you about that limitation, so you review your results thinking you’ve searched the data set, when in fact you’ve only searched some of it. There are other systems that cannot even run the kind of compound search shown above – the kind of search lawyers have been running for years in Lexis and Westlaw. Again, why deploy a partial system when you can deploy a full-featured system that gives you the confidence you need to make case decisions?

-- Fifth, when you use an in-house electronic discovery system, you shouldn’t have to worry about metadata – the system should automatically preserve all file and email metadata, so that you can avoid haggling with your opponent about which metadata fields are relevant, and, more importantly, avoid the problems that have befallen litigants who failed to properly preserve metadata. When it comes to metadata, if you use an in-house electronic discovery system worth its salt, properly handling metadata is not difficult and is not something that should worry you; if you don’t use such a system, however . . .

-- Finally, an in-house electronic discovery system should not limit your capacity or number of cases. The whole idea of bringing the electronic discovery process in house is to reduce risk and lower cost; the old approach of outsourcing led to operating expenses skyrocketing whenever a large case hit. If you are bringing electronic discovery in house, why buy a solution that charges you by the volume of data, or, even worse, only provides you with a set amount of data capacity, when you can buy a comprehensive solution for a fixed price that lets you tackle an unlimited number of cases and an unlimited amount of data?

Victor Limongelli is Guidance Software's president and chief executive officer.

Vendor Pedigree Helps Determine Who's Best in Show

Guidance Software Rarely are options a bad thing. We tend to favor restaurants with diverse menus. Cable television provides us with hundreds of channels. And the Internet is a vast patchwork of blogs, social networking sites and homepages.

But too many choices can be overwhelming. In a sea of options, how do you find what you're really looking for? And how do you know that what you choose is the best option?

This dilemma is currently being played out in the e-discovery space. Over the last couple years, the e-discovery market has seen a boom in software offerings. Never before have legal and IT professionals had so many options when it comes to e-discovery technology. Although this empowers e-discovery professionals with more choices, it also makes the procurement process more difficult.

As in-house counsel and IT personnel shop around for the right solution for their company, they should keep in mind a list of criteria. Some of this criteria are universal, applying to virtually all companies regardless of industry or size. Other criteria are unique. After all, the needs of companies at the top echelons of the Fortune 1000 are not the same as those at the bottom.

So what criteria should you use when selecting an e-discovery solution?

One of the most basic criterion you should consider is the vendor's pedigree. This is a universal consideration, one that all companies should investigate prior to making a software purchase decision.

There are several reasons why vendor pedigree is important. First, there are extreme consequences for failing to conduct e-discovery in a reliable and defensible manner. You need to partner with an organization that has a proven track record of assisting in the execution of a defensible e-discovery process.

Additionally, a company's e-discovery needs will likely change over time. Changes to the industry, growth within the company and increases in litigation may all necessitate tweaks to e-discovery software. A vendor that can adapt to these changes is critical.

Also, switching e-discovery vendors can present an enormous cost. Yet, if your software provider bows out of the market, you will be left with little choice but to browse for a new solution. That is why a financially sound, veteran vendor is ideal.

When shopping for an e-discovery solution, you should take the following steps to assess the vendor's pedigree:

- Obtain statistics on the vendor that address its financial health and longevity. Important figures include information related to its finances, number of clients and years in business. Additionally, your vendor should have extensive experience in e-discovery.

- Search for independent industry endorsements that ensure you're dealing with a "trusted vendor." Important resources include awards, certifications, judicial court references and customer references.

- Make sure the vendor possesses a wide range of service offerings. This will ensure it can meet your changing needs. Things like training, certifications, pre- and post-deployment services, and casework and staff augmentation services are traits of an adaptable vendor.

- Ensure the vendor has an internal team of e-discovery experts, not just one or one that does this part-time as part of their corporate legal duties. The e-discovery space is far from static. Court opinions continue to alter the rules of the game. A vendor with internal experts can address these changes with new, more robust service offerings and features.

- Understand the vendor's support model, including technical expertise, staff accessibility, hours of operation and escalation process.

Read more about how to choose the right in-house e-discovery solution.

Subscribe to and download Real eDiscovery Magazine.

Learn about EnCase® eDiscovery.

Russ Gould is director of product marketing at Guidance Software.

Certifications Bolster Litigation Attorney’s Skills

Guidance Software Richard Lutkus is an e-discovery litigation attorney at Seyfarth Shaw in Chicago. Prior to assuming his position at the firm, he entered the legal industry with a passion for both law and technology. However, even though Lutkus possessed advanced legal and technical knowledge, he didn't have a formal background in computer science. To bolster his skills in the area, Lutkus decided to enroll into Guidance Software's EnCase® Certified Examiner (EnCE®) program and the EnCase® Certified eDiscovery Practitioner (EnCEP®) program.

The EnCE® certification program provides public and private sector professionals with formal training in the use of Guidance Software's EnCase® computer forensic software. By becoming EnCE® certified, professionals show that they have mastered computer investigation methodology as well as the use of EnCase® during complex examinations.

Seeking additional experience, Lutkus became an EnCEP® earlier this month. The EnCEP® program certifies professionals in the use of Guidance Software's EnCase® eDiscovery software, as well as their proficiency in e-discovery planning, project management and best practices spanning legal hold to load file creation.

We caught up with Lutkus and spoke with him about his EnCE® and EnCEP® certification experiences.

Q: Why did you decide to seek out certification to become a certified computer forensics examiner?
A: I decided to pursue a program mostly because I was kind of a self-taught expert in the area. I didn't have a degree in computer science that would lead people to believe I was really good at this. I went to law school and had an interest in technology, but I needed to prove to people that I knew what I was doing. So, I decided to gain some formal qualifications.

Q: Why did you choose the EnCase Certified Examiner program over other certification programs?
A: I went with Guidance's EnCase® Certified Examiner certification program because they were more of a market leader in this area than other certification course providers. Also, they have a more recognizable name and are highly respected in the e-discovery/computer forensics space. Additionally, the principles I was learning would be applicable to any software, not just EnCase®. It was kind of a no-brainer for me.

Q: How would you describe your experience in the certification program?
A: I found the program comprehensive. There's a lot of good introductory information and higher-level information. I especially liked the EnCase EnCE® Prep Course. That really helps refresh your memory about all the information you learn, prior to taking the certification exam. I also had a lot of fun in EnCase® Network Intrusion Investigations and the Certified Ethical Hacking classes. Overall, it was a really good experience.

Q: How do you use the knowledge you acquired through the EnCE® certification program in your current position?
A: Within Seyfarth Shaw's e-discovery group, I do a lot of work related to information security and computer forensics. Many of the matters I work on are trade secret cases where you have employees leaving a company and taking customer lists and other business data. I've been doing that work pretty much since I got my certification, which was two-and-a-half years ago. Most of what I do day-to-day involves EnCase. In fact, there isn't a day that goes by where I don't use the software. I would not be able to do many of the job functions I currently perform, without having taken the training courses and becoming certified.

Q: Why did you choose to pursue EnCEP® certification? How do you think this will help you with your current job functions?
A: I pursued it because getting certified was a challenge personally. I also use Guidance Software's e-discovery product regularly. Receiving this certification has set me apart. I was already in a small group of attorneys with my EnCE® certification. I'm part of an even smaller group now with my EnCEP® certification. This helps show clients that I'm at the forefront of the industry; and I have achieved a very difficult and respected certification that shows my proficiency in handling their electronically stored information (ESI).

Q: What would you say to other professionals who are interested in becoming certified examiners?
A: I think they need to make a conscious effort to be realistic about the time commitment. You really have to dedicate yourself to these classes and immerse yourself, if you want to get the full value of the education. You also should practice using the software to familiarize yourself with it. Even if you don't have EnCase®, you can still practice on free forensic tools to get an understanding of terminology. Also, Guidance and its partners now offer on-demand training, which facilitates people with busy schedules.

Learn more about the EnCase® EnCE® and EnCEP® certification programs. Review the comprehensive list of training course offerings.

Learn more about EnCase® eDiscovery.

I Can See Clearly Now

Victor Limongelli Last week, Guidance Software announced earnings results for 2010. We had a strong end to a record year. We experienced solid demand for EnCase® eDiscovery version 4, which was released in late August, as well as our EnCase® Cybersecurity offering. Looking to 2011, we expect continued improvement in the e-discovery and Cybersecurity markets, as well as our core forensics space.

Our strong results validate our belief that there is an increasing need among corporations and government agencies to get a handle on their unstructured, unmanaged data. We believe that this is a long-term, multi-year trend.

Devices are multiplying and unmanaged data is growing.

Over the next three years, researchers estimate that more than 1.2 billion laptops and desktops will be sold, and an equal or higher number of smart phones will be sold, along with tens of millions of servers and tablets. This multiplication of devices brings with it the propagation of digital data – companies and government agencies find themselves with business data everywhere. This unstructured and unmanaged business data – and the lack of visibility into the data – causes meaningful business problems. First, it causes business problems when the company is sued and it needs to gather data for electronic discovery. Second, it causes business problems when the company needs to conduct an internal investigation, for HR, compliance, or other purposes. Third, it causes business problems, and creates risk, when sensitive data is stored in unauthorized locations, or when unapproved applications are running on devices.

EnCase® provides visibility.
Our EnCase® software solves these problems, and it does so by attacking the underlying situation – by providing visibility to the endpoint, so that the business problems can be addressed. We package our products around specific business problems, such as eDiscovery or Cybersecurity, but at a fundamental level we provide a platform that delivers visibility to the endpoint. Visibility into the data stored, the applications running, and the activity occurring on the endpoint – laptops, desktops, and servers, but also content management systems, smartphones, and cloud applications.

Given the proliferation of endpoints that is underway, we believe our platform will become increasingly valuable. From a central location we can reach the computing environment that exists – we deal with the world as it is and the world that is emerging– with data everywhere, and easily accessible to employees – not the world as people wish it to be, wishing they had everything in a centralized repository of data that is protected and tightly controlled. We provide visibility into that computing environment, and enable accurate decision-making and the rapid actions necessary to meet compliance obligations, reduce risk, and secure an organization’s assets.

Learn more about EnCase® Enterprise, EnCase® eDiscovery, EnCase Cybersecurity, and EnCase® Forensic.

Read our earnings release.

Victor Limongelli is Guidance Software's president and chief executive officer.

Metadata and Load Files Required for Government FOIA Responses

Daniel LimJohn Blumenschein Federal District Court Judge, Shira A. Scheindlin of the Southern District of New York, author the Zubulake opinions as well as last year’s seminal Pension Committee case, has written another landmark opinion regarding e-discovery with National Day Laborer Organizing Network v. United States Immigration and Customs Enforcement Agency, 2011 WL 381625 (S.D.N.Y. Feb. 7, 2011). The case is in the context of Freedom of Information Act (FOIA) requests. In a matter of first impression, Judge Scheindlin holds that “metadata maintained by [an] agency as part of an electronic record is presumptively producible under FOIA, unless the agency demonstrates that such metadata is not ‘readily reproducible.’” Slip op. at 18 (emphasis in original). Judge Scheindlin makes further findings as to fields to be included in load files for FOIA productions. The opinion underscores the importance of ESI preservation and production that preserves original metadata.

Read the full Court decision here.

The Plaintiffs had requested FOIA records from four government agencies --- Immigration and Customs Enforcement (“ICE”), Department of Homeland Security, the FBI, and Office of Legal Counsel. The records related to a collaborative program called Secured Communities, where ICE and the Department of Justice enlist states and municipalities with the enforcement of federal immigration law. The Defendants’ FOIA response included five .pdf files totaling less than three thousand pages. The Plaintiffs objected that the data was (1) produced in an unsearchable format, (2) that the electronic records had been stripped of all metadata, and that (3) the paper and electronic records were merged together in the .pdf file.

Judge Scheindlin first notes that FOIA requires agencies to provide records “in any form or format requested by the person if the record is readily reproducible by the agency in that form or format.” Slip op. at 7 (citing 5 U.S.C. § 552(a)(3)(B)). While the Electronic Freedom of Information Act Amendments of 1996 (“E-FOIA”) recognize the need for government agencies to “use new technology to enhance public access to agency records and information,” the Court found little caselaw defining “readily reproducible.” Id. Judge Scheindlin further notes that caselaw has established that (1) “metadata is generally considered to be an integral part of an electronic record,” and (2) when a collection of static images (e.g., .tif files) are produced, load files must be produced to make the production searchable and reasonably usable.

Turning to the facts of the case, the Court found that the Defendants were on sufficient notice that Plaintiffs requested spreadsheets in native format and text records as separate, i.e., single files. Defendants failed to respond to Plaintiffs’ offer to discuss the format of production. Instead, Defendants produced all records non-searchable .pdf format., merging all records, and failing to produce e-mails with attachments. The Court concluded that this production failed to satisfy FRCP 34 or FOIA.

As for the remedy, the Court found that because Plaintiffs did not specifically request metadata, and because this was a case of first impression, it would not require the Defendants to reproduce all of the records with metadata. The Court ordered the Defendants to re-produce all text records in static image single file format together with their attachments, and all spreadsheets in native format. For future productions, the Court directed a protocol where the bulk of files would be produced in .tif image format with load files containing certain specified fields of metadata and spreadsheets would be produced in native format. The Court carefully noted that this protocol was specific to this case, but that FRCP 34 requires that records be produced in a reasonably usable format, “which at a minimum requires searchability.”& Id. at 23 n. 44.

The significance of the opinion is that the Court announces that metadata presumptively is producible under FOIA, and that the government has the burden to establish otherwise. The Court’s particular concern was that the Defendants’ production of static images stripped of all metadata and lumped together without any indication of where a record begins and ends was unacceptable, regardless of whether or not metadata had been requested specifically. Judge Scheindlin viewed the production as “an inappropriate downgrading of ESI.” Slip op. at 24. The Court concluded with an admonishment about continued attorney failures to cooperate and communicate on these issues.

Clearly, the case law continues to point to the need to collect, preserve, process, and produce ESI load files in a forensically-sound manner that preserves metadata.  The best practice is to use EnCase® eDiscovery to accomplish these goals by maintaining original native files throughout these processes.

For e-discovery practitioners, it is critical that they select a solution that allows them to comply with the metadata requirements from these recent decisions. Guidance Software’s EnCase® eDiscovery preserves metadata at the point of collection in its original native format. In fact, all of the metadata fields that Judge Scheindlin required in future productions by the federal government in National Day Laborer Organizing Network are preserved with EnCase® eDiscovery. Finally, EnCase® eDiscovery produces its forensically-preserved collections in load file format, thereby, making it the only all-in-one solution that can comply with the standard set by this case, as well as similar state cases dealing with metadata productions.

Read the full Court decision here.

Learn more about EnCase® eDiscovery.

Daniel Lim is Senior Director and Associate General Counsel at Guidance Software. John Blumenschein is Senior Counsel at Guidance Software. Both are members of Guidance Software's e-discovery legal team.

EnCase Portable Saves E-discovery Time and Costs

Guidance Software E-discovery is an accepted component of practicing law. However, with that acceptance come demands to streamline related costs and timeframes while still accommodating increasing volumes of data, sometimes from multiple locations.

Document Solutions, Inc. (DSi), an e-discovery and digital forensics company based in Nashville, Tennessee, is constantly working to solve this problem and announced that it is now offering a new money-saving technology for its clients: remote data collection using EnCase® Portable from Guidance Software.

EnCase® Portable is a pocket-sized USB data collection and triage solution that leverages the powerful capabilities of EnCase®. The solution automatically searches a targeted computer and collects data, including documents, Internet history and artifacts, images, other digital evidence, and even entire hard drives. During this search and collection, images, documents, Internet history and a variety of other data can be reviewed in real time on the target computer.

"We don’t jump on new technology simply because it’s new. However, if our tests show that something can save money and time for our clients, and help to ensure the highest quality product, then we include it in the mix of services we offer. Remote collection passed these tests with flying colors,” said Kevin Tyner, CFO and co-founder of Document Solutions, Inc.

Remote data collection allows DSi to send a small piece of hardware, similar to a thumb drive, to a location where it is used to gather data in a forensically sound and accepted manner. The recipient plugs the device into the target computer and the device, pre-programmed by DSi’s technicians, automatically finds the data that has been deemed relevant and saves it to an accompanying hard drive. The result is exact, quick and defensible.

“When we determined that this technology would be beneficial to us and to our clients we got a few options in to test,” said Gary Torgersen, DSi’s vice president of operations and technology “We determined that EnCase® Portable, a pocket-sized USB device that can quickly search and collect documents, Internet history, images and other digital evidence, was the best solution available.”

DSi recently completed a project involving 65 individuals in 12 different locations, including Puerto Rico. They had 45 days to collect, process, review and produce. Traveling from place to place, coordinating with various people and companies to obtain access to each computer would be both time and cost-intensive. Instead, these “plug-and-play” devices were sent to each location, with the software programmed to filter and hash-verify as it collects.

The total universe of data was equivalent to approximately 45-50 million pages of information, which was obtained over a 25-day period. As data was received back, DSi was able to process it for their client to start the review, allowing them to meet the short deadline.

Not only did the EnCase® Portable devices save time by allowing filtering at the point of collection, they saved money. These small devices allowed DSi to provide a flat rate per machine, including collection and filtering. They were able to lower their cost to one-third of what it would have been using traditional techniques – not including travel expenses. With 65 machines, that’s a substantial savings.

Learn more about EnCase® Portable.

Watch CNN Money‘s story “CSI for the Internet”

Guidance Software CNN Money interviewed Brent Botta from Guidance Software and Westchester County Police Sgt. James A. Welsh about digital forensics in today’s Internet world.

Watch the video.

You can also learn more about EnCase® Forensic here.

The Wake-up Call from WikiLeaks

Guidance Software One positive result of the recent publication of secret U.S. documents by the now infamous WikiLeaks organization is that companies around the world are realizing they need to revisit the security of their electronic information and take steps to secure that information.

“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” says Steve Salinas, Sr. Product Marketing Manager at Guidance Software, in a recent article in Security Director News entitled, “What Security Professionals Should learn from WikiLeaks.” “Organizations are very aware that they need to have solutions in place beyond typical antivirus or firewall software to help control and protect their intellectual property.”

Once considered the responsibility of the IT department, electronic security today requires cooperation between multiple departments throughout a company. Read the full article at Security Director News.

To learn more about how Guidance Software can help protect critical electronic information visit: http://www.guidancesoftware.com/computer-forensics-cybersecurity-software-dcid-fisma.htm

Novelis Brings E-discovery In-House

Guidance Software The parent company to Novelis Corporation, Novelis Inc., is the global leader in aluminum rolled products and aluminum can recycling. The company operates in 11 countries, has approximately 12,300 employees and reported revenue of $10.2 billion in fiscal year 2009. Novelis supplies premium aluminum sheet and foil products to automotive, transportation, packaging, construction, industrial, electronics and printing markets throughout North America, South America, Europe and Asia. Novelis is a subsidiary of Hindalco Industries Limited, one of Asia’s largest integrated producers of aluminum and a leading copper producer. Hindalco is a flagship company of the Aditya Birla Group, a multinational conglomerate based in Mumbai, India.

Background
In Qualcomm v. Broadcom (Southern District of California, 2007) outside counsel made costly e-discovery mistakes that ended up costing Qualcomm the lawsuit. Investigators discovered more than 230,000 pages of emails, company correspondence, and memoranda after trial began, which led to the inevitable lawsuit between the client and the outside law firm. Qualcomm suffered great embarrassment that could have been avoided had the e-discovery process been staffed in-house with qualified personnel who understood the business, its processes and its data rather than relying solely on outside resources who were unfamiliar with the business.

Challenges
With mounting e-discovery fees and cases like Qualcomm in the news, the Novelis Corporation general counsel decided to bring the e-discovery process in-house. Service provider costs on one large case alone exceeded a million dollars, and the company wanted to bring these expenses under control. Given the budget crunch the legal department was facing, the question was, how fast could the capital spent be recouped in savings?

In addition to escalating service provider costs for e-discovery, internal policies required electronic data for terminated and retiring employees meeting certain management criteria be preserved with metadata unaltered during collection. The needs of the corporation demanded the law department have the best tools on the market with people knowledgeable in the legal complexities of e-discovery.

Solution
Novelis purchased the most highly respected and most often mentioned solution at industry trade shows, EnCase® eDiscovery. To support their efforts they also purchased training passports for the Novelis e-discovery team that enabled the team to get up-to-speed quickly and build a defensible, repeatable in-house process. As part of this process each team member received their EnCE® (EnCase Certified Practitioner) certification.

The company now preserves electronic data and saves case files in accordance with their electronically stored information policy. EnCase® eDiscovery is used for the acquisition of user-created information. If further review is warranted, either for a business purpose or in response to litigation, data is culled in EnCase eDiscovery and relevant information is exported and loaded into LAW PreDiscovery and Concordance.
In just nine months of using EnCase® eDiscovery, the company has saved more than $1.5 million in service provider fees.

The Future
EnCase® eDiscovery has proven to be a good solution for the corporation, as many plaintiff’s lawyers attempt to use e-discovery as a way to leverage settlements. Novelis will not be bound by the daunting costs of hiring outside counsel and third-party service providers to deal with the overbroad requests of plaintiff’s counsel and can focus on evaluating a case based on its merits alone.

In the future, the e-discovery team will focus on attaining the Guidance Software EnCEP® (EnCase® Certified eDiscovery Practitioner) certification as well as continue to use EnCase® eDiscovery software to its full advantage, allowing Novelis to focus less on service provider costs and more on the merits of the cases filed.

Learn more about EnCase® eDiscovery or watch this e-discovery webcast: “Learn where to focus your e-discovery efforts and why” with featured analyst firm, Gartner, Inc.

ACC Panel: Judicial Perspectives on Electronic Discovery

Guidance Software Guidance Software will be on hand at the Association of Corporate Counsel (ACC) 2010 Annual Meeting held October 24-27, 2010, at the Henry B. Gonzalez Convention Center in San Antonio.

Guidance Software President and Chief Executive Officer Victor Limongelli will host a panel on Tuesday, October 26. He will participate as part of the “Judicial Perspectives on Electronic Discovery” panel, which will bring together judicial thought leaders to share their views on the future of e-discovery practice as applicable to corporate law departments seeking to establish defensible in-house e-discovery processes.

Additional panel speakers include United States District Judge, Hon. Shira A. Scheindlin of the United States District Court, Southern District of New York, Chief Judge, Hon. Donald E. Shelton of the Washtenaw County Trial Court and U.S. Magistrate Judge, Hon. David J. Waxse of the United States District Court, District of Kansas.

The panel discussion will cover the Sedona Cooperation Proclamation, the impact of recent decisions and provide judicial perspectives on managing e-discovery, the protection offered by Rule 502 and sanctions for failure to meet e-discovery obligations.

The ground rules for electronic discovery are changing rapidly as forward thinking judges look both at the increasing importance of digital evidence to cases and also the new tools available to counsel. This panel will be invaluable to anyone who needs to know how these changes will impact on their cases.

The company will also showcase its recently announced EnCase® eDiscovery version 4, which offers new features that provide a unique approach to early case assessment (ECA) with pre-collection analytics that allow legal teams to query all of the data and get a better sense of how many responsive elements there are. From this, they can refine their search or sample the data so that they are better armed for their pre-trial conferences. Those interested in the new features can visit Guidance Software at booth 153 for more information.

ACC's Annual Meeting is the largest gathering of in-house counsel from around the world. Since it began in 1983, it has grown to become the premier annual event for corporate attorneys to gain education credits, meet with legal service providers and network with their peers. This year’s meeting will bring together corporate attorneys from all over the world and leading legal service providers for more than 100 continuing legal education/continuing professional development CLE/CPD courses and networking opportunities.

If you’re going to the show and you’re on Twitter share your experiences using ACC’s Twitter hash tag: #accam10.

Learn more about bringing e-discovery in-house in this webcast.

Learn more about EnCase® eDiscovery from Guidance Software.

Master European Data Privacy Laws

Guidance Software Where can I go to find out about EU data privacy protection laws and how they affect the discovery of European data in U.S. litigation?

As a preliminary matter, there is no one place to go for information about European data protection laws. However, an excellent starting place is the European Commission’s Data Protection website.

National data protection laws are based on European Commission Directive 95/46 EC, which provides an overarching framework and minimum standards. Furthermore, the Directive encourages each state to interpret and enact its own version. The European Commission website provides the Directive in multiple languages and an overview of the statuses of the legislation in the 30 member states that make up the European Economic Area—the 27 EU member states plus Iceland, Liechtenstein and Norway. There are also links to each of those statutes and their amendments (and, for Austria and Germany, to the laws enacted by the federated Länder or states) with English translations where available, with the caveat that translations are often “unofficial” and for informational purposes only.

The Article 29 Working Party is the independent EU advisory body on data protection and privacy set up under the Directive. Links to this group’s published opinions interpreting key issues and concepts in data privacy law are organized by year and include the 1/2009 WP 158 on pre-trial discovery for cross-border civil litigation (PDF), which specifically addresses issues surrounding data processing and, to a lesser extent, transfer. In addition, the Commission’s FAQs on transferring personal data out of Europe to third-party countries includes a step-by-step decision tree to assist with the analysis. Keep in mind that opinions of the Article 29 Working Party, though persuasive, are not binding on European national enforcement agencies.

National data privacy administration and enforcement authorities’ websites also have useful information. For example, the French CNIL’s website, available in English and Spanish, explains data privacy rights and obligations and includes topics and news items.

Among the blogs in this field, Chris Dale of the UK eDisclosure Information Project site provides timely analysis that manages to be both thoughtful and entertaining.

In addition to the national data protection acts and their related notices and other requirements, a host of other laws and issues can come into play. Labor laws, general and issue-specific “blocking” statutes, telecommunications laws, and regulations are among the many issues that you need to consider. The Sedona Conference® International Working Group WG6 has published two useful papers providing a broader perspective, including the 8/2008 Framework for Analysis of Cross-Border Discovery Conflicts and the 9/2009 International Overview of Discovery Data Privacy and Disclosure Requirements, which give detailed information concerning the legal system and data privacy laws of 12 countries, including seven European countries. One of these is Switzerland, which, being outside of the EEA, is not represented on the Commission’s site. The Sedona Conference lists these papers on its homepage under “Recent Publications” and requires users to provide their name and e-mail address to access them. Guidance Software has published a series of helpful white papers addressing EU data discovery issues, including “Seeking a Balance in the Discovery Equation,” which provides an overview of European data protection laws and their implications for U.S. discovery, and several on UK and German data protection and compliance issues.

Finally, if you are dealing with an actual data protection matter, it is essential to consult local counsel in the EU member state(s) where the data at issue is located.

Will County Sheriff’s High Tech Crimes Unit Exonerates Police Officer Falsely Accused of Murder

Guidance Software Typically EnCase® is used to prove someone’s guilt. Yesterday computer forensics and digital evidence helped Detective Joseph “Josh” Fazio in the High Tech Crimes Unit of the Will County Sheriff’s Police help clear Lynwood, Ill., police officer Brian Dorian of first degree murder charges. He was accused of shootings along the Illinois-Indiana border that killed one man and wounded two. Digital forensics software from Guidance Software assisted in freeing the officer.

An Associated Press story quoted Chuck Pelkie, a spokesman for State's Attorney James Glasgow's office, “It wasn't until investigators fully analyzed Dorian's computer on Tuesday that they concluded it was impossible for him to have been the shooter.” This digital evidence was processed by Sherriff Paul Kaupas’ High Tech Crimes Unit working around the clock for the last four days analyzing Dorian’s computer.

At a court hearing that lasted less than five minutes, charges against Dorian were formally dropped.

The Chicago Tribune quoted Glasgow, “Sheriff's investigators found evidence that the computer was in use at a time that would have made impossible for the person using it -- Dorian -- to be there at the time of the shootings.” Glasgow also said, “In this particular case, I guess Brian Dorian can thank God for computer technology.”

The case exemplifies how the proper handling of digital evidence, EnCase® forensic methodology and technology and a trained and certified forensic examiner, can lead to a successful case outcome. EnCase® Forensic helps courts worldwide uncover the truth -- guilt or innocence. In cases where time is an important element of a case, using a tool that maintains the integrity of the evidence by allowing an examiner to analyze a computer user’s activity without altering access dates and times is important.

Deep forensic analysis can mean the difference between guilt and innocence. Learn more about EnCase® forensic technology and forensic training.