CYFOR Blog

With the vast amounts of electronic data involved in civil disputes, it has never been more critical to ensure that digital evidence is forensically sound for electronic disclosure in litigation.

Failure to comply with this principle could see your disclosure of evidence challenged by the opposing side.

Evidence disclosure in litigation is a critical component of the legal process. If you are involved in a civil dispute, you are required to follow the disclosure process set out in the Civil Procedure Rules (CPR) and share information with the opposing party. This includes both documentation that supports your case and documentation that can potentially undermine your case. This ensures that both parties have all the documentation relevant to the matter available, enabling the Court to make an informed decision.

It is at this stage that the issue of whether an extensive search has been sufficiently completed is commonly disputed by the opposing parties. However, an aspect of disclosure that is just as critical is whether or not the information has been collected in a manner that preserves the metadata and captures all data effectively.

The importance of collecting data forensically

Collecting digital evidence in a forensically sound manner is crucial if electronic disclosure in litigation is to be used as admissible evidence in court. Allowing in-house IT departments to perform their own inadequate data workflow could severely jeopardise a legal disclosure exercise, especially when presenting evidence in court. If the correct steps to disclosure have not been adequately followed, then the opposing party will capitalise on this, critiquing your workflow and attempting to discredit the evidence. Using forensically sound workflows in accordance with the ACPO guidelines would eliminate any concerns or risks.

The consequences of cutting corners

Should a client be unwilling to instruct experts to manage a disclosure exercise, then you leave yourselves open to an array of risks that include:

• Missing data during a search;
• Losing critical metadata;
• Overwriting or unintentionally amending metadata;
• You cannot include deleted data;
• You open yourself up to the opposing party critiquing your workflow;
• Risk the chance of having to do a disclosure twice;
• Your whole disclosure could get thrown out of court;
• Risk breaking fair disclosure of evidence obligations;
• Put your brand reputation on the line and risk embarrassment.

As eDisclosure specialists, CYFOR unquestionably advises clients to allow for the collection of data in a forensically sound manner. This ensures that the critical metadata within the digital evidence (such as documents) is preserved without alteration. If we have a forensically collected copy of the data, then we would be able to defend your disclosure process in a court of law. This would confirm that all documents are legitimate, which nobody would be able to do should your client do the searches themselves. Failure to do so would allow the opposing side to challenge your eDisclosure process and/or accuse your client of having fraudulently created documents.

Why would a client not instruct forensic experts in the first place?

• Cutting corners while attempting to cut costs;
• A lack of understanding in terms of the benefits;
• Failing to understand the consequences of not instructing an expert;
• Some providers may not offer forensic collection as a standard service;
• Perceived time constraints;
• Data security privacy concerns.

What exactly is metadata?

Metadata exists within every digital item (such as documents and images) stored on physical devices, such as your computer and smartphone. It is the information generated within a piece of electronic data and the information contained within metadata can include:

• Author
• Creation date;
• History;
• Keywords;
• Document software used to create it;
• When it was last modified;
• What the name of the file is;
• Location within the file system.

These devices may also collect metadata about your usage, creating a digital footprint. These properties may be automatically generated by your operating system, or the application you are using. Metadata often tells the rest of the story about the document and, therefore, is often a key focus of disclosure in litigation. However, there are still lawyers who are not fully aware of the benefits of preserving, collecting and utilising metadata, in part because they are not entirely clear on what it is and how it can be beneficial.

Collect wide and review narrow

CYFOR adhere to the methodology of ‘collect wide, review narrow’. This ensures that no digital evidence is overlooked during the forensic collection process. This eliminates the risk of the opposing party making accusations of not reviewing all relevant data for disclosure in litigation. If a client is allowed to review the data before you do, then they would be able to withhold potentially relevant information. Such an act would be detrimental as it would allow the opposing side to challenge the workflow in court.

Exponential litigation costs

CYFOR have first-hand experience of cases where corporates had initially attempted a document search themselves for disclosure purposes. Once the realisation set in that no forensic protocols had been adhered to and that a sufficient search of the data could not be confirmed, they turned to CYFOR to conduct a forensically sound analysis. Ultimately, it is far more cost and time effective to involve a third party once the disclosure stage is reached.

It is also worth noting that it may, in fact, be cheaper to outsource as opposed to conducting a linear review of the documents. If there are thousands of electronic documents involved within a disclosure in litigation, deadlines can be missed without having a more efficient way of reviewing the data. It would take significantly longer to manually review, which would also increase legal costs.

The ‘Forensics Bible’ – The ACPO Guidelines

The Association of Chief Police Officers (ACPO) guidelines are a set of principles that should be adhered to when handling electronic evidence. It is critical that they are strictly adhered to when computers or digital media are investigated. This is to ensure that the evidence collected has the following attributes:

• Forensically sound;
• A forensic audit trail exists;
• A chain of custody is established, ensuring no unauthorised access to the media;
• Data is not altered or overwritten;
• A forensic image (copy) is taken of the digital evidence;
• Approved forensic tools have been used to interrogate the data.

The ACPO Guidelines consist of four core principles:

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other records of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

What can the civil spectrum learn from the recent criminal disclosure of evidence failings?

The recent criminal disclosure issues highlighted the numerous cases that collapsed due to incorrect disclosure practises, with 916 charges dropped in 2017 alone. The BBC reported that the number of collapsed prosecutions in England and Wales had risen sharply by 70% over the last two years due to the disclosure of evidence failings.

The biggest issue surrounding these practices is largely down to the vast amounts of data that investigators are faced with. The Police don’t have adequate resources or training in order to thoroughly apply the disclosure test to each piece of data extracted from a device. For example; if an individual lodged a complaint due to being harassed via text messages, a full forensic image of the phone would be initiated. This forensic image would be an extract of all the available data within the device, including;

• Images;
• Text messages;
• Call history;
• Contacts;
• Social media accounts;
• Internet activity.

Once extracted, the solicitor or investigator dealing with the matter would be obliged to view every document, photograph, video, search term etc. to satisfy themselves that nothing undermined their case or assisted the prosecution. Due to the ever-increasing amount of storage capacity in modern mobile phones, this task soon becomes totally unmanageable. Evidence then gets overlooked, hence the disclosure failings highlighted in the media.

A key takeaway factor for lawyers involved in civil disputes is to be as specific as possible with data extractions, taking into consideration exact time frames and areas of information. Instead of extracting every piece of data, they should be target-specific based on the information they have at the time. For example, if they are only looking for text messages in a particular time frame, they should only extract this section of the telephone’s data. This will greatly reduce the amount of time and effort required when sifting through the files.

The counter-argument to this specificity is that if not all data is extracted and reviewed, evidence could emerge further down the line that proves critical to the outcome of a case. However, if the extraction is based on the information at that time, the policy decision around that should be appropriate and documented accordingly.  

Case Study: Electronic Disclosure in Litigation – ‘Buy cheap, buy twice’

CYFOR were instructed by an international Magic Circle law firm to perform a complex eDisclosure at the eleventh hour. Their client was involved in litigation, with allegations of fraud and the theft of significant amounts of money. The client’s IT department had attempted their own electronic disclosure in-house, without abiding by certifiable digital forensic procedures admissible for court. This was exposed by the opposing party who had correctly instructed forensic professionals and had identified these failings within the workflow.

One of CYFOR’s digital forensic experts were tasked with travelling to Kazakhstan in order to evaluate the client’s information technology infrastructure, policies and operations. There was also the necessity to evaluate and assess the specific evidence collection process for disclosure in litigation proceedings.

Through the application of thorough step-by-step forensic procedures, the CYFOR expert was able to certify that the client’s employees who carried out the in-house electronic disclosure were competent to carry out the task required of them. It was also confirmed that they did so to the best of their ability with the tools available to them and that they did so in accordance with the agreement between the parties.

Whilst onsite, the expert was also instructed by the Claimants’ legal team to take a full forensic collection of any relevant data sources. This included forensic images of all hard drives and email servers available, in order to identify any documents that may inadvertently not have been caught by the Claimants’ electronic searches.

Although the conclusive findings were that the electronic disclosure process conducted by the Claimants’ was reasonable and proportionate given the circumstances, it came at great cost. Due to the inadequacy of the initial electronic disclosure in the eyes of the court, the client incurred considerable costs by having to perform the procedure twice. Hence the term, ‘buy cheap, buy twice’. There is also the reputational and embarrassment factor to consider given the high-profile reputation of the international law firm and their inability to instruct forensic professionals from the offset.

In conclusion, if the digital evidence had been captured in a forensically sound manner for disclosure in litigation proceedings, then the initial criticism would have been entirely avoided.