|
By Daniel B.
Garrie Esq., B.A. & M.A. Computer Science
Bill
Spernow, CISSP,
CEH, PMP, Net+, Sec+, CHS III, GAPPI/GCP
In Part One of this article, the
authors identified a test case, Trump v.
Genger, supporting our thesis that technological misunderstandings almost
inevitably leads a court to commit legal error in e-discovery decisions. As described in Part One, the Trump case involved significant
sanctions imposed upon defendant Genger because he wiped the unallocated space
of certain computer hard drives.
Defendant did so after first taking a file level snapshot of the
“existing files” on the hard drives and then reviewing those existing files for
national security and personal information.
Any sensitive documents were encrypted, and the hard drives then
returned to Plaintiff. The wiping was
necessary to delete unencrypted copies of the sensitive documents automatically
generated as part of the encryption process.
In Part Two, we explain why the Court was wrong to find spoliation and
impose sanctions.
The court’s logic in imposing
sanctions was faulty on a number of levels.
Our first example is significant: the court did not properly determine
if relevant documents had been destroyed by the wiping software. In its opinion, the court references the
“Lentz Memo” as one of the missing documents that could have been recovered
from unallocated space as a deleted file – assuming the unallocated space had
not been wiped by the Defendant. The
Court’s determination, however, was based solely on cause and effect (it should
be here, it’s not, hence it must have been wiped), not independently verifiable
forensic evidence.
Other technological
reasons, however, would also explain why the missing files could not be found
in the unallocated space. What the Court perhaps did not
fully understand is that every action, including just turning on the computer
in the morning, creates, deletes and modifies hundreds of files and overwrites
data in the unallocated space. Given the
nature of the encryption process expressly permitted by the Court, it is more
than likely that all, or almost all, the data in the unallocated space had
already been overwritten. This is
because, as the court recognized, the encryption process creates at least one
or more temporary files, a final “encrypted” file, and the need to delete the
original file. All of this activity
consumes resources in the unallocated space area of the hard drive. Given the large number of documents reviewed
over the course of days by a team of attorneys, any data in the unallocated
space could have easily been overwritten by the encryption process. Thus, the Judge’s order, by permitting the
encryption of files stored on the systems in question, most likely resulted in
overwriting substantial blocks of data that previously had existed in the
unallocated space. If, as the Court
found, there was a smaller dedicated unallocated space for electronic mail and
email attachments, then all email derived data in this smaller, segregated
segment was almost certainly overwritten before the wiping software was
utilized. If the “Lentz Memo”, as an
example, had been deleted from the unallocated space, it could have been
innocently overwritten by the thousands of files created during the encryption
process specifically allowed by the Court.
So even if the wiping software had not been run by the Defendant,
the Lentz Memo would have never been found, and its absence does not
demonstrate the Defendant wiped it.
It is also unclear if the file
level copying process created a copy of the $MFT file for each computer backed
up. This is important because the $MFT
file, a Windows system file that is really a small database, contains technical
details about all valid files and most deleted files. Think of the $MFT file as the table of
contents for a hard drive that points you to the page of interest. Why this file was not examined to determine
what details existed about previously deleted files was a significant technical
oversight that ignored valuable potential evidence. This is critical because a review of $MFT
could have likely resolved the courts concern regarding intentional spoliation
by specifically identifying the names and sizes of the files that had been
recently deleted.
The court also apparently did not
understand that most data in unallocated space are random fragments. The analogy here is expecting entire pristine
documents in an area that consists mostly of confetti. This is probably why the computer consultants
never preserved the unallocated space before the encryption process was
initiated. The initial judicial preservation
order issued by the Court prohibited the destruction of any company related
documents, books, or records. It is not clear
how Judge Strine bridged the technology world from that routine mandate to the
finding that deleted files, that per normal descriptive terms are already
destroyed and unrecoverable by the Windows Operating System, fall within
those parameters. What started as a
routine e-Discovery process, that pays no attention to deleted files, was subsequently
transformed into an e-Forensic investigation about deleted files to Defendant’s
disadvantage.
It is wholly unreasonable for
courts to expect litigants to preserve the unallocated space of their
computers, or understand they are required to preserve unallocated space, as
the result of a routine preservation order.
To expand preservation orders to include unallocated space in computers
and servers on pain of sanction, as Judge Strine now has done in the Delaware
courts, is unworkable and unreasonable.
To preserve this storage space, a company would effectively have to shut
down all their computers and servers prior to imaging – grinding the business
to a halt. Even then, it is not always
possible to recover deleted files from unallocated space, as opposed to random
bits and pieces of the whole.
Additionally, because of the random nature of the unallocated space, it
is impossible to know with certainty where the information sought is
located. It is a simple matter to
segregate active files by custodian.
If employee John Smith has information regarding the litigation, you
segregate his active files and search them for useful information. With fragments of files, as typically found
in unallocated space, no such segregation is possible. The analogy here is searching for a needle in
a field of haystacks. The cost will
always outweigh the benefits, if any, of such a search. For a company that has a number of servers,
even the cost of imaging and maintaining the unallocated space, as will be
required if unallocated space is now part of every “status quo” preservation
order and litigation hold, may be prohibitively expensive.
Finally, the court was correct to
note that the timing of the wipe by Genger and his consultant, at night after
everyone was done for the day, might provide reason for suspicion. However, undertaking such a lengthy process at
night is a common practice that minimizes the impact of the e-discovery process
on the business. Accordingly, such
actions on their own should not have led the court to conclude a nefarious
intent. Indeed, if Defendant’s consultant
Mr. Ohana was really trying to hide his actions from discovery, he could easily
remove all trace evidence of his wiping activities. The failure to do so supports the innocent
explanation for the wipe offered by the defendant.
Armed with partial or incomplete
information regarding digital matters as noted above, courts unfortunately can reach
the wrong conclusion. As illustrated
here in Trump v. Genger, where
Plaintiff successfully, but mistakenly, asserted the defendant committed
spoliation of evidence, and unwittingly led Judge Strine to impose an
unreasonable and expensive burden upon this Defendant and all future litigants
and companies in the State of Delaware – the burden of preserving unallocated
space on pain of spoliation sanctions.
Mr. Garrie is lawyer
and technologist and is recognized as one of the eminent thought leaders in
electronic discovery. Mr. Garrie is a managing partner at FSRDG, a national
legal risk management consulting firm, and serves as an e-discovery arbitrator
and special master all over the United States. He has also held technology
positions in both the private and public sector. He can be reached at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Mr. Spernow combined a
career as a computer engineer and California Peace Office and quickly obtained
a national reputation as one of the first Cyber Cops. He has held IT
Security positions in both the public and private sector and currently provides
litigation and forensic support services in the Atlanta area.
Only registered users can write comments.
Please login or register. |
