Interview: Electronic Evidence (ESI) Expert Kristin Nimsger

Kristin Nimsger is Electronic Evidence Product Line Manager at Kroll Ontrack Inc. The Electronic Evidence team focuses on assisting attorneys practicing in many areas, including mergers and acquisitions, intellectual property, class actions and complex litigation, with discovery and investigations surrounding electronically stored data. Ms. Nimsger's duties include consulting with law firms, corporate legal departments, and government agencies on electronic discovery and computer forensics issues in civil and criminal litigation and regulatory matters. She speaks regularly on the topics of electronic discovery, computer forensics and technology's role in the law. Recently she appeared on Fox News, CNet Radio, and Bloomberg Radio speaking on these topics.

1. Where does computer forensics comes into play in litigation?

The vast majority of the time, when computer forensics becomes an issue in litigation is when one of two things comes into play:
(1) When an individual's conduct must be known with regards to their computer. Did they send trade secrets to a competitor via email? Did they copy proprietary information from their computer? Did they delete something and try to overwrite it?
(2) If someone has deleted something either intentionally or unintentionally and it is subject to litigation, then we would engage in a deleted recovery to bring back that information and search it and provide it because it is both discoverable and admissible.

2. How do you respond to skepticism about electronic data's value to litigation?

The reality is that business and individuals live using electronic means. Their communication is electronic in many instances. In 1999, 93% of all documents created in corporate America were created electronically. One has to believe that this number has only increased. There are statistics that indicate that 70% of that electronically created data never migrates to paper. If you're ignoring electronic evidence in your cases, you're missing out - it's the equivalent of only reviewing 3 out of 10 file drawers of potentially relevant and discoverable information.

3. What types and formats of information are you able to retrieve from a computer?

We receive images of entire hard drives, so anything that exists on a hard drive is something that we can access and in most cases produce back for review. Of course, there are some programs that are more challenging or unknown to us, but we have a team of software developers that reverse-engineer those programs and still get at the data despite the fact that we may not have the native application.

Often we have to access some very out-of-date media and systems in the e-discovery side of our business. We'll receive backup tapes from systems that are over a decade old, and the hardware and software systems that created and stored the files are no longer in use. For example, there's an old email program called Banyan VINE that gave us trouble. We were able to eventually restore it, but it was such an antiquated system that it required extra effort.

We have endeavored to maintain a complete library of hardware and software for old legacy systems in order to access that data when necessary.

4. Is it possible to permanently delete information from one's hard drive, and do people have a right to engage in the deletion of information?

It is possible, yes, but you don't really delete it from the hard drive. The data doesn't really go away. What you do is write over the information again and again. It's the equivalent of putting a number of pieces of paper on top of each other -- at some point, the first, second or third page down is hard to detect, but it is still there.

There's nothing that is per se nefarious about deleting data, but the appropriateness of it depends on the situation. If you're talking about a personal computer, you can absolutely wipe off your computer, particularly if you're donating it to charity. And if you're talking about a business environment, there are also situations where it is perfectly appropriate to delete data.

The issue is that if there is a pending investigation or pending litigation against you personally or against any part of your organization, there is likely some duty that is triggered to preserve your data. So if you are going to engage in any wholesale overwriting reformatting, or any other activity that will alter or delete data, you need to be aware whether there exists a duty to preserve.

5. Can you talk about cleaning software? Which are the best, what are their levels of effectiveness?

There are so many different varieties, but essentially what the vast majority of products on the shelves do is some level of formatting to your drive. This can either be a high-level or a low-level formatting.

High level formatting removes the pointers to files. It makes the files less available to the user, but it doesn't necessarily make them inaccessible to computer forensics examinations. Low-level formatting actually goes in and zeros out the drive, thereby overwriting all of the data. On Track has a product called Data Eraser that does this type of low level reformatting where you can delete everything from your drive. When evaluating that type of software, it's very important to know what type of formatting that software is performing.

The important point to note from an electronic evidence perspective is that cleaning software creates evidentiary footprints of what you've done with your computer. In many cases, the very act of deleting data can be evidence against you, and in some cases, there will be an inference against you in court.

6. Do you feel that information on how people can effectively delete electronic data should be more readily available? Who has the responsibility of providing this information to consumers?

I think in general, there is a lack of understanding by people about how their computers actually store data, what relevance electronic evidence has, and how to get rid of it. One thing we've tried to do to minimize this lack of education, particularly within the legal community, is to do comprehensive CLE programs on both the law and technology relating to electronic evidence.

Consumers should seek out this information on their own. If you are a consumer and you will be donating your computer to charity, you should take the responsibility to seek out information on how to get rid of personal data that you don't want to pass on. As an industry, we are trying to make people aware of not only the importance of electronic information, but also its fragility in some senses and its permanence in others.

7. If a hard disk is physically destroyed, can the data contained therein be accessed?

Absolutely. Our company began as a data recovery company, and that's still our flagship division from a revenue perspective. That portion of our business exclusively deals with recovering data from media that has physically malfunctioned or been subject to fire, flood or other damage.

We have a number of stories that have landed in our computer forensics branch where we've had to take advantage of our data recovery technology. For example, there was a man who became aware that his computer was going to become the target of an investigation. When the authorities came to take his computer for examination, he was jumping up and down on his laptop. And when he realized that wasn't working, he threw it out the window into a body of water. We were still able to recover all of the data in house, though.

8. Does encryption or other forms of security impact the work you do?

We provide a standard service of password and encryption cracking if we're addressing protected documents or data, and essentially our engineers have told me that virtually any password or encryption can be cracked if enough time is spent on it. In most cases, we do a cost-benefit analysis, and decide how much time should be allocated to cracking security. The vast majority of passwords and encryption are routinely broken through the use of our technology.

9. Explain the difference between electronic data discovery and computer forensics.

Electronic discovery is the technology, services and tools that are marshaled to manage a huge volume of electronic information in the context of litigation or other proceedings.

That is to be contrasted against computer forensics, which is the recovery of deleted information. It's the science of examining and piecing back together the who, what, when, where, and how of computer-related conduct. The computer is viewed as a crime scene.

10. How is your work different than what the FBI or other law enforcement organizations do? Is there any overlap?

There's a great deal of overlap. As a matter of fact, the FBI is a large client of ours. We do computer work for the FBI, Department of Defense, and Secret Service. Essentially, they send some of their tougher cases to us. There is definitely a push within the law enforcement community, particularly at a federal level, to create their own resources to address computer-related investigations. But they don't yet have a fully functional lab that can do all the things that we can do. For example, law enforcement has a problem dealing with archival systems, legacy data, and back up data. In addition, on the data recovery side, if there is a problem with the media, or a hard drive doesn't function, law enforcement has a limited capacity to restore the function.

11. How would you characterize the majority of your clients?

The vast majority of our clients are top 200 law firms and Fortune 50 companies engaged in either litigation, or subject to some sort of federal investigation or regulatory proceeding, such as anti-trust investigations involving the FTC and DOJ. We have another subset of our clientele that is law enforcement, from local to state and federal levels And we have some individuals as clients.

A subset of our corporate client structure includes corporations that are engaged in internal investigations of their current or past employees. Very often, and with increasing regularity, corporations are making copies of the hard drive of every employee who leaves. They are then able to conduct investigations to ensure that trade secrets or other proprietary information have not been transferred outside the company.

12. What are some current client trends?

Historically, our clients have been in a reactive stance. They come to us when they are backed against a wall and they need to conduct an electronic evidence investigation or to produce information electronically. Now, were seeing that corporations, in particular, are looking for a more proactive electronic data management solutions, both in the form of electronic data retention policies and technological solutions that allow them to marshal all of their electronic information assets into one searchable database or one usable format. They want to be prepared and avoid the pain of investigations on an incident-driven basis.

13. Can you discuss preservation of evidence and the types of destruction of evidence that occurs?

This is a huge topic. The issue is when the duty to preserve arises, when litigation is either pending or impending. If you know that litigation is coming, if you should know it's coming, or if it's actually ongoing, you have a duty to preserve all evidence that could be relevant to the particular matter. This duty encompasses the duty to preserve both electronic and paper documents and any other evidence.

The difference between preserving paper documents and electronic documents is pretty simple. In the world of paper documents, destruction generally requires an overt act, such as putting a document in the shredder, trash or incinerator. You have to do something to destroy it. This is simply not the case in the electronic world. Maintaining the status quo of corporate IT department policy, which includes the recycling of backup tapes, is routinely destroying data without a lot of forethought or overt planning.

Overt or inadvertent, the law doesn't make a distinction on the type of destruction of evidence. Organizations are thus faced with potentially horrible sanctions for the spoliation of evidence simply by maintaining the status quo of their business operations.

14. Are corporations equipped to prevent routine destruction of data?

Not at all. The biggest and best corporations, and even the most tech savvy ones, have uniformly demonstrated that they haven't yet developed appropriate processes and implemented them to prevent the destruction. It's a huge problem in corporate America, and there have been numerous cases in recent headlines that demonstrate this issue.

15. In terms of preserving data and avoiding liability, is there a certain type of information backup method that is preferable?

If the only goal is to avoid a spoliation inference, I suppose you would want to preserve everything. Never recycle a backup tape. But that's really not a good business decision in many cases. From a risk management perspective, you have to determine whether you want everything ever produced in your organization maintained for eternity.

If you are engaged in litigation and the duty to preserve electronic information arises, we often suggest that you seek a proactive court order defining the duty to preserve in that particular case. Ask that the duty be limited to certain individuals or certain time parameters or other indicia of reasonableness.

16. How is electronic medium impacted the way discovery requests are produced from one side to another? Is paper still used?

Paper is still used but is rapidly going the way of the dinosaur. Law firms are recognizing that if the majority of critical data is created electronically and is processed electronically for review and production, then it makes sense that it could be produced to the opposition in electronic form. So we are definitely seeing an increase of requests to produce either electronically or in CD ROM or via litigation support database. The wave of the future will absolutely be electronic production.

17. Can information be lost when it is transferred from electronic form to paper?

Yes, the potential to lose metadata exists. Metadata is a definition or description of data, and is not included in standard printed versions of electronic documents. Metadata can tell you a lot about the data, such as who authored it, when it was altered, and what words have been designated to describe it.

We have a method where clients can get data on paper, and we will give you what we call a "slip sheet" for every document, which contains all of the electronic metadata that you would be able to see if you were looking at the same data electronically. But, it's a less technologically-advanced way to review, to say the least. It's really much easier in most cases for people to look at things in electronic form and see all the metadata attached to the data.

18. Are courts and judges equipped to deal with electronic data discovery issues?

Absolutely. It's settled law that electronic information is as equally discoverable as paper documents. What remains to be determined by the courts, and what is still being debated in the cases, is what protocol should be followed to actually govern the exchange of information and what are the cost shifting and sharing protocols. There have been some recent decisions and articles on that issue. The case, Rowe Entertainment, sets forth an 8-factor balancing test on the issue of who pays for electronic discovery.

There's also some debate among the Civil Rules Advisory Committee as to whether the rules should be amended to include specific guidelines for electronic evidence. This issue is nowhere near settled. But there are a number of federal court local rules in many jurisdictions that specifically address electronic evidence.

19. As electronic data becomes ubiquitous, how important is it that lawyers possess a certain level of technological understanding, and what is that level?

I think that at a minimum, attorneys need to understand what trouble they can get their clients can get into on the preservation of evidence issue. This issue requires them to know a bit more about technology than they're generally accustomed to understanding, or at least they need to know the right questions to ask of their clients and their clients' IT departments about how data is created.

However, I also feel that in order to be a zealous advocate for your client in the 21st century, you need to be quite savvy about the exchange of electronic information, and if you are not routinely requesting electronic documents and enforcing your requests to produce, you are missing the boat on what could be the vast majority of critical evidence that exists in the realm of the opposition.

20. Can you give a brief history of computer forensics, the current state of the industry, and where you think the industry is headed?

Speaking from my company's perspective, we began as a data recovery company. As the use of technology blossomed among individuals and corporate America, litigation started to consider electronic information as a source of evidence. As an industry, there's been a couple different evolutions. There's been a few technology companies that had some existing capacity and have evolved to provide this service. There's also been some paper discovery vendors that are essentially copy vendors that have recognized this need and tried to grow some technological capacity into their business. And then there have been consulting firms that have attempted to organically grow some of these technology capacities.

What we're starting to see now, and the Kroll-On Track merger is a perfect example, is that organizations that have a real strength in consulting are beginning to buy or join forces with organizations that are best-of-breed from a technology perspective. I think we'll see more of that in our industry.

Because the electronic data recovery industry is in it infancy in the grand scheme of things, there's hardly any uniformity of practices across the industry. As an attorney who is evaluating expert service providers, you really need to be either trusting of a relationship that you have with an organization, or savvy enough about the technology to decide if what they're offering is appropriate for your situation.