ediscovery blog

10 Things You Don’t Want to See in eDiscovery

Share this article

An eDiscovery project can be complex when just considering in its general parameters. Maybe it’s a certain document type, production style, or naming convention – there are more than a few things that make eDiscovery life difficult. But keep in mind, these are exceptions rather than the rule. Of the hundreds of millions of documents Avansic has loaded for online review, the vast majority of them fall into only seven file types. So, if you have one of the items that follow in your case, it just may require some exception handling, extra time, and – so you’re prepared – potentially some extra cost.

10 Things You Don’t Want to See

1. DWG or CAD files

These don’t fit neatly into the 8.5×11 size that all of us think a document should be. There are layers and renderings and it’s difficult to determine how to present them in a data set comprised of other documents that do fit on a “page.” This is especially true for CAD drawings with multiple layers. Isolating to just the data needed for presentation can be very helpful. There may be instances where the opposing party has a viewer that can accept CAD files, in which case providing the native version is an easy solution.

2. Select Email on a Macintosh

In this case, the difficulty is that email headers, messages, and attachments are stored separately. Common eDiscovery and forensics tools don’t understand the relationship between these fractured parts of an email. The solution is to re-create the email from its parts using a custom tool based on the data. Alternatively, if one has the Macintosh device it can be used to export email into PST or MBox format.

3. Encrypted/Password Protected Files

Without a password, these files aren’t accessible. By far the best solution is to obtain the password from the user. There are methods to figure out passwords, but it requires very significant computer power, time, and cost, and ultimately there is no guarantee of success.

4. Email Archivers

Each archiver is different and may have different problem areas in terms of eDiscovery. For example, some archivers gather mail as it is inbound to the system and don’t know a custodian – for instance, [email protected] might redirect depending on the employee in charge of sales only at that time. Archivers often store emails in a manner that makes them easy to search the body but not the attachments. Then, the entire archive contents must be exported in order to perform proper searches. Here, the best solution is to work with the archive vendor to determine methods for extraction.

5. Poor Packaging

A loose hard drive in a cardboard box is not an effective way to ensure digital media will arrive at its destination intact. Before you ship, discuss proper shipping guidelines with the party receiving the materials.

6. Cloud Data That Isn’t eDiscovery Ready

More cloud providers are popping up, but they are not all equal. Most make it very easy to get your data loaded but don’t necessarily have similarly robust procedures for you to get your data exported when you need it. It’s common for a mass export to take several times longer than it took to upload. As well, the associated metadata may be missing or inaccurate. Unfortunately, one of the most common email providers makes it difficult to download hosted email that is ready to be processed in eDiscovery. Evaluate each provider at the earliest opportunity to determine the length of collection and if special handling or post-processing is needed.

7. Files Within Files (Complex File Types)

The most common example is a PST or OST file that contains emails that themselves have a PST attached. Most eDiscovery tools don’t track a hierarchical relationship of attachments which makes it difficult to understand the context of an item in a given family. Proper searching of any file container will require the expansion of these files beforehand, which frequently results in many more documents than originally anticipated.

8. Non-Searchable Types That Contain Text Within ESI

A good example of this is a scanned document that is an attachment to an email within a PST. Searching the email for content within that document wouldn’t necessarily locate the text in the scanned document. Similar to container file issues, proper searching requires them to be expanded and the individual parts to be processed as well, including imaging and OCR for items without extractable text.

9. Legacy and Uncommon Email Formats

This includes email in older or uncommon formats or programs such as older MBox, GroupWise, and Lotus Notes NSF files. Often these types require a large amount of additional pre-processing to get to what is considered bare minimum for other formats. The most common solution is to convert these to the EML format, which in many cases loses valuable information including format-specific metadata; and once converted, it still may not look like regular email. A solution is to find eDiscovery vendors with experience or that have development resources to decode the format.

10. Legacy Hardware

Challenges include poor connection speeds, types no longer supported with modern operating systems, and drives that may not spin up. A vendor with experience getting information off those devices is needed, as well as an understanding that the time frame may be longer than expected.

Conclusion

Each of these issues require some expertise to address. It is worth the time to talk with your eDiscovery vendor and determine their level of familiarity with the data type before sending the work, along with evaluating the importance and value of the information to your case. The nature of most of these will require additional work that can often be time consuming and expensive. Ask the vendor if they know of options to get a similar result without processing the most difficult types directly.

Dr. Gavin Manes on Email
Dr. Gavin Manes
CEO at Avansic
Dr. Gavin Manes is a nationally recognized eDiscovery and digital forensics expert. He founded Avansic in 2004 after completing his Doctorate in Computer Science from the University of Tulsa. At Avansic, Dr. Manes is committed to high-technology innovation, research, and mentorship, and has several patents pending. Avansic's scientific approach to eDiscovery and digital forensics stems from his academic experience.

Dr. Manes routinely serves as an expert witness including consulting with attorneys on data preservation issues. He contributes academic content to peer-reviewed journals and delivers classroom lectures. See his full CV at gavinmanes.com.

Dr. Manes has published over fifty papers on eDiscovery, digital forensics, and computer security, countless blog posts, and educational presentations to attorneys, executives, professors, law enforcement, and professional groups on topics from eDiscovery to cyber law. He’s briefed the White House, the Department of the Interior, the National Security Council, and the Pentagon on computer security and forensics issues.

At the University, Dr. Manes formed the Tulsa Digital Forensics Center, housing Cyber Crime Units from local, state, and federal law enforcement agencies. He’s a founder of the University of Tulsa’s Institute for Information Security, leading the creation of nationally recognized research efforts in digital forensics and telecommunications security.

Share this article