Social Media is a big deal in the legal profession. Not only is it being used to promote law practices but it’s increasingly being used as digital evidence in courtrooms. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to Craig Ball about the intricacies of preserving digital evidence. Their discussion includes whether or not to hire a professional to do the preservation and tools that you can use to gather and preserve digital evidence.
Craig Ball is a longtime adjunct professor teaching Digital Evidence at the University of Texas School of Law. He writes and speaks around the world on e-discovery and computer forensics.
Special thanks to our sponsors, PInow and SiteLock.
Practical Approaches to Preserving New (and Not-So-New) Media
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 78th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Practical Approaches to Preserving New (and Not-So-New) Media.
Sharon D. Nelson: Before we get started I would like to thank our sponsors.
We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com, if you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com” pinow.com to learn more.
John W. Simek: We are delighted to welcome as today’s guest Craig Ball, a cherished friend who is a Texas lawyer living in New Orleans. A longtime adjunct professor teaching Digital Evidence at the University of Texas School of Law, he writes and speaks around the world on e-discovery and computer forensics. Craig limits his practice to work as a Special Master in electronically-stored information and consults for and trains lawyers and courts.
Thanks for joining us today Craig.
Craig Ball: Thank you John and thank you Sharon. It’s always a great privilege to be on Digital Detectives.
Sharon D. Nelson: Well, thanks for agreeing to come back Craig. And we will start off asking a question that I know we all three of us hear a lot and that’s, why does the anticipation of litigation prompt the need to preserve such things as Gmail, social networking sites and online content.
Craig Ball: Well, there are really two parts I would share in answering that question. The first is it comes as a surprise even to experienced lawyers to know that the duty to preserve evidence is not something that they owe to their clients or they owe to the other side. It’s a common law obligation that they owe to the court. And it attaches at the time that one anticipates a claim or litigation.
But the reason why you need to preserve such things as Gmail and social networking and online content is because those things form such a crucial part of our day-to-day interactions. Recent studies have shown that the average user of a smartphone spends 3 hours and 47 minutes each and every day simply looking at that small screen, and when we add in use of our laptops, desktops, tablets, our IoT stuff, we are spending the better part of half a business day or more on these various devices.
One only has to look at the line at a Starbucks or the waiting area at an airport to know that we are more involved and more intimately connected to these devices than perhaps anything else in our life.
Sharon D. Nelson: Including people.
Craig Ball: Very much the case, isn’t that true?
John W. Simek: Well, I missed that train. At least I get 3 hours and 30 minutes of my life back every day.
Craig Ball: Well, that’s the thing John, think about us, if we can honestly say, I don’t have nearly that much time online, and it’s an average, think of what that signifies for the other people.
When I share with audiences the fact that on average a user of Facebook visits Facebook 14 times a day and their average time online daily is on the order of about 40 minutes. Well, now let’s just realize, I haven’t visited Facebook at all today or yesterday and so as a consequence of that I am making some poor soul have to go and stay on Facebook 80 minutes, 160 minutes. I mean, I am ruining their lives to keep this average in place.
Sharon D. Nelson: Pretty good Craig.
John W. Simek: That’s certainly one way to look at it Craig. Let me ask you a question here Craig that I think we pretty much agree with, but our listeners need to hear this. Is it really sufficient just to tell the client not to delete anything, because if they don’t delete it, won’t it just stay there and nothing happens bad?
Craig Ball: Well, hope that were so, and certainly the most common practice among lawyers and not a best practice, not even a good practice in my judgment, is for them to simply copy some sort of notice out of a form book that tells their clients or the employees of their clients, keep everything, don’t change anything, makes the lawyer feel a little better. But as a practical matter, it’s not very useful, and they rarely put all the pieces together for an effective preservation, because you not only have to tell people don’t do something, but where they are obliged to preserve dynamic content or content that’s changing all the time, you have to give them pretty clear instructions about what they have to do and you have to provide them with the assistance and the resources in order for them to get it done.
Now, one more point I would make is based upon something that the much revered late great football coach of the Texas Longhorns, Darrell Royal used to say, he said, there are three things that can happen when you throw a football and two of them are bad. By the same token, there are three things that can happen when you tell a client to preserve information. One of them is good, your client will be diligent, will know how to do it, know what to do it with and will have no incentive to reinvent history.
But two out of three times you are going to get somebody who doesn’t have the time or the resources or the inclination. And the third time you are going to have the person who says, oh, I don’t want them looking at my stuff, or I need to clean up my act and now all of a sudden you are looking at a smoking hole of spoliated information that completely derails the merits of the case.
So does it stay there? Yeah, in some instances it may stay there. Gmail may stay there, tweets are likely to stay there, but when we start talking about social networking content, it’s very dynamic, and because it’s contributed by multiple individuals and because it is also replete with information that is programmed by say Facebook, what you grab today may be very different from what you grab tomorrow and the next day.
Sharon D. Nelson: I still can’t believe that every month on some LISTSERV I will have some attorney who will say, why can’t I just subpoena the service provider? Why isn’t that the way to go? So answer that chestnut.
Craig Ball: You absolutely can subpoena the service provider and among those service providers who are running short of toilet paper, they appreciate the subpoena that they receive, because they look at it and they say, are you kidding me, we have the Shared Communications Act.
If a third party comes forward and serves a subpoena, particularly an out of state subpoena from a state court, it is not worth the paper it’s printed on. They are absolutely protected in terms of their obligation to preserve, protect, let alone produce that information.
If you are going to move forward in that approach, you are really going to have to bring an action to get the information in the jurisdiction where the service provider has its headquarters, let’s say Mountain View, California, and you are probably going to have to get a federal court judge to issue an order. Nobody wants to try to do that.
So it’s not the way to go if you represent the holder of the account, you have much less costly and more effective ways to get the information, and it’s a near total waste of your time in a civil case to try to do it as a suing party or as a requesting party.
Sharon D. Nelson: Yeah. Let me just stop for a second, because I think you misspoke, something which I never do. You said the Shared Communications Act; you meant the Stored Communications Act, yes.
Craig Ball: Oh, absolutely. Shared Communications Act was wishful thinking on my part. I did mean to say the SCA, the Stored Communications Act. It’s about an 18 year old statute at this point. It was written for a time of dial-up Internet and You’ve Got Mail, and unfortunately, it’s so antiquated and provided such a high level of protection for the service providers in terms of how little they have to do in responding to discovery that it really needs to be readdressed by Congress in a meaningful way.
Sharon D. Nelson: Why don’t you think they have done that?
Craig Ball: I think that they have more important things to do, like lowering the tax rates for very wealthy people and trying to knock 24 million people off the insurance roles, they have got their hands full over in Washington right now.
John W. Simek: Sharon, why did you set Craig up?
Sharon D. Nelson: Because I knew where he was going to go.
Craig Ball: I am such an easy mark.
John W. Simek: You are such a good friend Craig. We can read you. Well, getting back on track and another question that we hear a lot as well is, and I know I hear this one when I talk to lawyers is that, why do I have to hire you or hire an expert just to collect Gmail and Facebook, they don’t have any budget for that. So what are your thoughts on that kind of a comment?
Craig Ball: Well, I certainly wouldn’t speak for you, but there’s no reason to have to hire me on that sort of thing. I think it’s very simply people have a lot of fears about preservation, collection of digital evidence, and when lawyers are afraid of something, when lawyers sense exposure under the way, they try to solve that problem by throwing money at it.
So often I will say to prospective clients who hire me for preservation, look, it’s something you can do, let me talk to your IT person. I can walk them through how to do it. I can help them make a proper chain of custody and so forth. Why pay my minimum engagement for something so simple. And dollars to donuts, they are still likely to say, well, I would still rather have it done by an expert, who if I have to call them to testify they can demonstrate that they knew what they were doing and I appreciate that vote of confidence.
Truly I don’t think our justice system can accommodate the need to bring in an expert for the routine case, not needing forensics for fairly benign stuff that we use everyday. So if you have to hire an expert, the more you know, the less you feel compelled to hire an expert. If you can do it competently in-house, I think that it can be safe for it to be done in-house by a law firm.
Sharon D. Nelson: Well, that’s interesting because I hear a lot of people worry about whether it’s safe for a law firm to do collections. They worry that law firm employees might have to become witnesses in the case and risk disqualification. So how do you answer that concern?
Craig Ball: I hear that concern frequently. I like to take lawyers my age or near that, back to the time of paper, it would never have occurred to a practicing attorney in the 1980s that there was anything wrong with sending a paralegal or an associate attorney or almost any trustworthy individual to a client to collect, identify and duplicate paper documents and paper evidence. And the reason for that is we all understood how that was done. We all felt reasonably competent; of course in that day lawyers hands didn’t touch keyboards or copying machines, but we all felt reasonably competent to be able to use the technology that allowed us to make our own sets.
I don’t think I ever heard a lawyer say, well, I would have gone over and made the photocopy, but I was afraid it would make me a witness on the chain of custody; therefore, we hired an expert to do it. That’s absurd.
And I think that’s the same way today with electronic information. The reason we weren’t disqualified making our own copies and handling the chain of custody on paper documents is that courts viewed that as a ministerial task that did not make us a witness on — material evidence in the case.
I think we are getting to the point, if we are not already at the point, that if a lawyer or an in-house paralegal or IT person understands what they are doing when they are collecting and preserving and encapsulating for authentication electronic information, then that can be done as a ministerial task that is unlikely to lead to disqualification, in much the same way as we took that for granted with paper documents.
Sharon D. Nelson: Have you ever seen that language in a court opinion, Craig; I never have so I am curious?
Craig Ball: I mean have I ever found a court opinion that says that a lawyer who knows what they are doing is competent to preserve information? I haven’t, but then on the other hand, I haven’t seen anyone successfully challenge someone who knew what they were doing.
Mind you, I am not saying that you are qualified because you are a lawyer or you work for a law firm or you are an IT person. I am saying you are qualified because you have done your homework to understand the process and you have obtained the necessary instruction and experience to do it. The instruction necessary to collect and authenticate electronic information from common sources like email and the main social networking sites and a few other sites is dead simple, and once you learn it, you can qualify in any court that what you did was straightforward, ministerial and you were competent to do it. In fact, a challenge won’t even gain traction.
Sharon D. Nelson: Okay, fair enough. I just wonder about somebody getting on the witness stand, is it a better practice to have someone other than the attorneys who are actually going to be involved in the case doing the collection?
Craig Ball: You know, I suppose the optics of it somehow feel better, but honestly, if a firm is disqualified, a lawyer is disqualified, it kind of works both ways. I don’t think judges are going to want to set up these Chinese walls within law firms for purposes of acquisition.
The bottom line is this, if the information is acquired in a competent way and that competence can be demonstrated, if nothing has been lost or altered and both of you are well familiar with the many ways we can go about demonstrating that nothing has been lost or altered, it doesn’t really matter if it’s done by a lawyer, a layperson, a technician or a hired expert, the process is the same and the process is made defensible in the same way.
John W. Simek: Well Craig, I am not a Facebook user, so I am one of those guys that is screwing up with those averages that you referenced earlier, but I know that it has a capability of, I can’t remember exact words that it says, download your data or something like that. Is that acceptable to preserve the Facebook stuff and what about other like Internet things like the Wayback Machine?
Craig Ball: Well, that process is — I refer to it as takeout. I think that Takeout is the term used by Google for its range of services and I like that. So the various services, some of them at least, have a variety of takeout mechanisms. Facebook was one of the first to allow users to take out, to download and replicate locally their contributed content to their Facebook page.
Is it sufficient? Well, that really depends upon the issues in the case. If all that is at stake is what the individual user contributed to their site, the photographs they posted, and the comments they made the, the Facebook takeout is pretty good for that. It’s free, it’s simple to use, it’s supported by the application itself, so there’s no question that there was full access to the content.
The problem that I see with that John, in the case of Facebook is that contributed content, post to the walls. What your Facebook friends have to contribute is not a part of that takeout, and I think for most of these cases you are wanting to see not just what the individual has posted, but you want to see the comments that were made and contributed. And so whether or not it’s adequate depends upon whether or not it fully encompasses the potentially relevant information.
In my case, I am not terribly fond of the Facebook takeout because it is somewhat incomplete and I prefer to turn to other applications and other techniques.
With respect to the Wayback Machine, the Wayback Machine at HYPERLINK “http://www.archive.org” archive.org; HYPERLINK “http://www.archive.org” archive.org has got this wonderful tool that periodically spiders publicly facing websites and captures what they appeared at certain times in the past and you can give it a website, you can go back and see what a user and a person accessing that site would have seen, sometimes even many years ago. I am a little ashamed when I look back at some of my very early forays onto web building.
But the Wayback Machine is only going to be for publicly available information and increasingly the things we look for in social networking and certainly in Webmail are going to require credentials, user IDs and passwords at a minimum in order to access that. And so you are not going to find that sort of thing on the Wayback Machine, because the Wayback Machine doesn’t have those credentials when it goes around sucking down pieces of the web.
So it can be useful if you are trying to see what a website showed in the past, but only if it’s a publicly available website and not one requiring credentials.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes Website Scanning, Web Application Firewall, including Distributed Denial of Service mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today, visit HYPERLINK “http://www.pinow.com/”www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Practical Approaches to Preserving New (and Not-So-New) Media. Our guest is our friend Craig Ball, a Texas lawyer living in New Orleans. Craig limits his practice to work as a Special Master in electronically-stored information and consults for and trains lawyers and courts.
So Craig, what about screenshots; something I actually know how to do and so do a lot of other lawyers, tell us what’s wrong with screenshots?
Craig Ball: Well, there’s certainly a place for screenshots in preservation. It’s a lovely way to be able to show what something looked like, the layout and the user experience, and so I wouldn’t discourage people certainly on some key things dealing with screenshots. They are a nice thing to attach to motions and so forth.
But when we come to the world of e-discovery Sharon, as you and John well know, there are other issues with electronic data, particularly when we are talking about voluminous electronic data, and they go to issues of completeness, searchability and authentication.
From the standpoint of completeness, for those listeners who are Facebook users, they know how prone Facebook is to basically collapse content more than just a few posts or a few comments. And so if you are trying to use screenshots to reveal everything associated with the user’s work on Facebook or their Facebook environment, you would have to be extraordinarily vigilant and screen by screen going and digging down and opening up and exposing every level of nested content, and dollars to donuts, you are going to miss something, it’s going to happen.
So completeness is an issue with a screenshot. There’s always something that’s not likely to make it on the screen shop.
Searchability is a huge issue, because screenshots are not inherently electronically searchable. While it’s fine if you have a couple of pages of screenshots to be able to read them, when you start talking about users who spend 47 minutes a day or 40 minutes a day on Facebook and go every day, the contributed content is extraordinary, and the process of going down page, after page, after page to collect it is very time-consuming.
So you need to get it in electronic formats that are inherently electronically searchable and those in turn can be imported into electronic review platforms and assimilated with the normal workflow of electronic discovery review.
Finally, you have the issue of authentication. The better tools for collection of cloud content, Gmail and social networking content will also grab some of the electronic content underneath the visible page, and they will often add an overlay of digital fingerprinting of the data through hash authentication, cryptographic hashing that will allow you to say this picture, for example, that I collected is absolutely identical to the one that appeared there, before or after, and I have the hash values for the page components to be able to prove that no changes have been made.
So you have got issues, as I say of, is it going to be complete with a screenshot, screenshots are inherently not text searchable, and they can be harder to authenticate. At a minimum you will need a witness who can demonstrate that they recall the appearance of that page and that the screenshot truthfully, accurately, and faithfully replicates what they saw. I don’t know about you, but I can’t remember what I had for breakfast, let alone what a page looked like exactly when I saw it six months or a year ago.
John W. Simek: So Craig, talk to us about some of the options for web pages, Acrobat and those types of tools.
Craig Ball: Well, with web content, again, it depends upon whether you have credentials or not, and we could have a long discussion about whether you want an opponent’s client to give you their credentials, whether you want those to be handed over to a neutral expert, or have them yourself. I have concerns about that, but remember, in order to get the stuff that is the evidence, you very likely have to be able to log on with the same privileges and credentials by the account owner and that raises some issues.
But assuming you have those, you have a variety of tools available to you that can be used to memorialize web pages, including some pages requiring authentication. They can be called web crawlers. Now, these are essentially tools that will look at the pieces of each page and will recurse or drill down the number of levels that you tell them to drill, a setting that must be approached with enormous care, lest you begin downloading the entire Internet.
I have seen people get into enormous difficulties, filling their whole hard drives until they crashed by telling it that they want to go down say six levels. Well, you know about the whole six degrees of separation idea, that we are all related. But whatever, when you go down six levels in the Internet, you are basically downloading terabytes or petabytes of data.
So I digressed, come back to it. If you are, as most lawyers are, if you are an owner of a tool like Adobe Acrobat, not the Acrobat Reader, but the Acrobat Creator process, Adobe Acrobat, it’s about, I guess depending upon what license you have, let’s say about $350 program I think. You can use a feature within Adobe Acrobat to crawl and create PDFs with embedded hyperlinks of web pages. It’s not always a perfect solution. Sometimes it doesn’t — I mean for example, it’s not going to do all the levels of recursion, of opening the pages, the replication and so forth that I raised with Facebook.
But for many instances what we face in preservation, I think the use of Adobe Acrobat, particularly its use in consultation with an opponent who says yes, that will be a reasonable approach when you have that meet and confer opportunity, I think most people will find that to be a very cost-effective, easy to use and generally sufficient means by which to preserve a searchable electronically-enabled replication of a website.
There is also a Google Drive add-on for Chrome that allows Chrome users, the browser users to be able to save web environments with the drilling down features that I talked about to a Google Drive account. And then there’s other both commercial and there are open source applications. One that I need to mention is called X1 Social Discovery.
This is a program that I believe runs about $2,000 for an annual license, and it’s a program that a lot of service providers and forensic examiners have, and it is purpose built for collecting social networking evidence.
Another one that is in the works, it’s in sort of a skunkworks beta now I believe by a mutual friend of ours named Andy Adkins, is a tool called Social Evidence, and it is going to apparently do much of what X1 Social Discovery does, which is the automatic and defensible downloading of social networking sites, but it’s going to do it storing it on the web, in the cloud, instead of downloading it locally to a hard drive.
And we could go on. As I say, open source, there’s a tool called Wget or the more user-friendly graphical interface version called Gwget, that’s literally Gwget. Now, this is the Breakfast of Champions tool, but what I mean by that is that if you are going to have people that use this, so this is the tool that Edward Snowden used to scrape data from the NSA.
So I mean Wget is Snowden approved, and so you are going to want to retain huge amounts of information by spidering websites internally or externally. Wget was used by Snowden; it was also used reportedly by Chelsea Manning when Manning grabbed all those diplomatic cables. So this is the hackers’ tool.
So as I say, much out there, ranging from free to $2,000 that are very likely going to be fairly user-friendly and strongly defensible when used by someone competent in their use.
Sharon D. Nelson: Well, that was a great rundown of some terrific products, so thank you for that.
We are pretty much close to the end of our time here, so if I could ask you to answer the next couple of questions kind of briefly, sell me on Google Takeout, you referenced it before, but why is it so cool?
Craig Ball: Well, I think Google Takeout is the greatest thing since sliced bread, and for those who don’t remember what it was like before you could buy a loaf of bread that was sliced. The Google Takeout is free; all right, for one thing it’s my favorite price. So every person who uses Google content, which is to say Gmail users, Google Drive users, users of Google’s social networking sites and so forth, if you are storing information in some corner of Google, Google made a commitment two years ago that people should have a right to liberate their data, their data should be collectible, portable, and useful.
Now, that’s a very courageous stand on Google’s part, because the data that these various companies hold for us is their probably most valuable asset if you think about it.
Google Takeout is a means by which if you are a Gmail user, you can do some amazing things. One thing you can do is you can pull out all of your Gmail content in a standard, useable complete form, including metadata, allowing the replication of the Gmail environment, like the foldering and so forth that exists in Gmail. And the conversational strings, all of that is added as metadata in a form of takeout called an MBOX; M-B-O-X.
MBOX may be an unfamiliar terminology to many users, but for those of us who have been involved in email for a long time, we know MBOX to be one of the most versatile and ubiquitous or generic forms of email.
So you can go to Google Takeout, you can say I want my Google Drive or I want my clients with credentials, Google Drive content, I want to preserve it and I want to filter their Gmail by date or by topic or by keyword, all the search that is supported by Google so wonderfully is also supported within your Gmail collection, so you can do a lot of very defensible culling before you export to the MBOX.
So yeah, I can’t say enough good things. The answer for me when you talk about recovering Gmail isn’t going to be using Outlook, isn’t going to be using MAPI or IMAP or any of these other techniques and tools that the other geeks listening know what they are, the answer is the free, reliable and efficient Google Takeout. And did I mention it was free?
Sharon D. Nelson: A lawyer’s favorite price.
John W. Simek: Yeah. So Craig, talk to us briefly, I know you mentioned some of this earlier about sponsoring witness, the importance of metadata, hashing as an authentication tool and all that, but is there anything else that you want to mention about that that you haven’t already.
Craig Ball: I think we have hit the high points and I know we are short of time so I don’t want to go on about these things. I do think that when you are looking to consider a tool for preservation, if you anticipate the possibility that the information may be challenged for authenticity, completeness, or alteration, then it’s important to consider the forensic fundamentals, which is, you want to be sure you have collected the associated metadata with the information, and below Facebook content and other content there can be metadata.
And you want to consider whether the tool you use has the capability of hashing the page components and the textual content components so that if you are challenged down the line about the failure to preserve it against alteration, you will be able to go back to hash values that were stored back in the day, back at the time of acquisition and demonstrate to the satisfaction of an opponent and expert or the court that you haven’t tinkered with the content.
Because ultimately most of this content is simply text and there’s very little that is easier to change than text. So without something allowing you to demonstrate that the text is unaltered, you are always vulnerable to that charge.
Sharon D. Nelson: Well, as always, this has been a delight. We have been all over the range here, we have invented a new law, we have established how old you are, because you remember when the bread wasn’t sliced, and we have got a Snowden seal of approval. And sometimes when you talk, it is just amazing how what you are saying imprints itself on the brain, because you always say it so colorfully, and of course with your expertise, it makes it all the better.
So thank you for sharing that expertise today with our listeners, Craig. We always love having you on.
Craig Ball: The pleasure is mine. Thank you very much for thinking of me on this topic.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cybersecurity services at HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.