1. Field of the Invention
The present invention relates to a system and method for preserving user created electronically stored information (ESI) and more particularly to a system and method for preserving (ESI) that complies with the Federal Rules of Civil Procedure with respect to discovery of such ESI.
2. Description of the Prior Art
In December of 2006, various amendments to the Federal Rules of Civil Procedure became effective dealing with discovery of such electronically stored information. Specifically, various Rules including Rules 26(a)(1), 33, and 34 were amended to include the phrase “electronically stored information”. Under the amended Rule 34 (a), the electronically stored information may include “writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form”. The definition is broad enough to cover future technology.
Such electronically stored information provides more information than paper copies of the documents. Specifically, electronically stored information includes the actual data or file and also includes meta data. Meta data relates to information about the file itself. For example, such meta data is known to include the name of the creator of the document, the date the file was last revised and any related file information related to the document. The Meta data is stored along with the file on an electronic storage device, such as a hard drive or other persistent memory storage device.
The storage of documents on a hard drive in most computer systems is tracked by way of a File Allocation Table or FAT. More specifically, whenever data is written to the hard drive, the operating system uses the FAT to select an available storage location on the hard drive to store the data. The operating system also uses the FAT to keep track of those storage locations. When files are deleted, the documents are not physically erased from the hard drive. Rather, the entries relating to that file are simply deleted from the FAT. The file remains on the hard drive until it is written over by another file. Thus, even after a file has been deleted by a user, an image of the file will often be available for a fairly long time afterward.
In response to the relatively new rules regarding the discovery of electronically stored information, computer forensic experts are known to be used to extract or harvest images of all of the files on all of a company's persistent memory storage devices including deleted files, spaces and Internet surfing histories. These persistent memory storage devices are known to be located on servers and personal computers including desk top computers and lap top computers.
Harvesting of an image on a persistent memory storage device includes creating an image of all active files on the hard drive or other persistent memory storage device as well as deleted files. This process involves making a bit by bit copy of all of the data on the persistent memory storage device being examined. More specifically, software tools are known, such as FTK Imager, manufactured by Access Data Corporation (http://www.accessdata.com/forensictoolkit.html) and Encase, manufactured by Guidance Software, Inc. (http://www.guidancesoftware.com/), are known to be used to copy data from a hard drive, electronic memory storage device or other persistent memory device (hereinafter “persistent memory storage device”) without altering any of the user created data or the meta data relating to the user created data on the target persistent memory storage device being examined.
Once an image of target persistent memory storage device is completed, the data is analyzed by such known software tools to determine an electronic fingerprint or hash value of the target persistent memory storage device being examined. Determining a hash value involves examining all of the 1's and 0's stored on the target persistent memory storage device being examined. The hash value allows any data changes from the target persistent memory storage device being examined to the external persistent memory storage device to be easily detected. More specifically, any change of the data from the target persistent memory storage device being examined, even a single bit, from the target persistent memory storage device to the external persistent memory storage device will result in a totally different hash value. After the image transfer process is complete, the hash values of the target persistent memory storage device and the external persistent memory storage device should be exactly the same. Matching hash values lend support to the authenticity of the data copied from the target persistent memory storage device being examined.
In some cases, due to the volume of files contained in an image of the persistent memory storage device, the computer forensic experts are known to search the image file for specific files suggested by the opposing party and provide condensed versions of the persistent memory storage device image. In such cases, hash values of the copied files are determined and used to determine the authenticity of the copied files.
The amended Federal Rules of Civil Procedure require the preservation and disclosure of electronically stored information to the requesting party. As such, harvested data from the target persistent memory storage devices of the various servers and personal computers involved are known to be stored on a pristine external persistent memory storage devices for production to the opposing party in the litigation
Federal Rule of Evidence 901 (a) requires that evidence must be properly authenticated before being admitted in Court. As such, in order for the electronically stored information to be admissible in court, proof of the chain of custody of the harvested electronically stored information must be provided to the satisfaction of a Court before it will be admitted into evidence in a case. This proof normally includes documenting the methodology used in the forensic acquisition of the electronically stored information contained on the target persistent memory storage device, and providing proof of the chain of custody of the electronically stored information during and after the retrieval process.
In most situations, the various servers and personal computers that need to be imaged are located in a central location. Thus, the time and therefore the cost for computer forensic experts is mostly spent on imaging and processing the persistent memory storage devices in the central location. In many cases, one or more target persistent memory storage devices are located at locations remote from the central location. In such situations, additional costs are incurred for travel expenses and travel time which significantly increases the cost of responding to a production request for electronically stored information. Thus, there is a need for reducing the cost with respect to such remote target persistent memory storage devices at remote locations.