Recovering The Deleted File
In the growing story about text messages here in the City of Detroit, there has been a lot of focus on the issue of “Deleted Files” and if deleted files can be recovered. Yesterday (April 29, 2008) we did an interview for “Ruth to the Rescue report on Local 4 News/WDIV-TV, Detroit, MI” .
Ruth Spencer is a Consumer Reporter and her story line focused on how the consumer needs to be aware that merely deleting a file from the computer does not erase the file. In her interview with Ives Potrafka, a Senior Forensic Examiner for the Center for Computer Forensics, she learned that deleted files can be recovered fairly easily if you have the correct tools. She also learned that the Data Recovery Group has an extensive business recovering lost files.
At the close of the interview Mr. Potrafka suggested that if consumers want to protect themselves from people recovering deleted files, then the consumer should research wiping utilities on the web. Ruth closed the segment with a warning to consumers that they needed to diligent when getting rid of their old computers to make sure that their sensitive information, is in fact, unrecoverable.
As a follow on, Mike Wendland, the Technology Editor for the Detroit Free Press, wrote an article today (April 30, 2008) entitled “More proof that deleting a file doesn’t kill it”
The article said, in part:
Here’s a computer secret most people don’t know: The delete key doesn’t really delete. A deleted computer file can usually be recovered, even if it seems to have been removed from your hard drive.
As the latest chapter in Detroit’s ongoing saga of the mayor and his text messages unfolds, we once again learn a valuable technology lesson: Computers seldom forget.
The latest round of messages, further illuminating Mayor Kwame Kilpatrick’s affair with then chief of staff Christine Beatty, was released Tuesday by Wayne County Circuit Judge Robert Colombo Jr.
A forensic expert recovered the document that contained the messages from the computer of Mike Stefani, the attorney for three former Detroit police officers who sued Kilpatrick.
What the article does not say is that the file was reported to have been deleted by Mike Stefani from his computer in late 2007 as part of a law suit settlement. The file was recovered in late April 2008 by a computer expert. The use of the computer for several months did not overwrite the file that was recovered.
What the consumer needs to understand is that the delete key in a Windows environment does not erase a file. In windows, deleting a file puts the file into the recycle bin. In essence all the user has done is move the file to a different folder on the hard drive and modified the file name. When you empty the recycle bin, the user has told the computer that the space is available for the computer to store another file. Given the size of hard drives today, that file may not be overwritten for a long time.
The analogy I like to use is the manual card file at the library:
- The delete key removes the index card form the catalog. The book is still on the shelf and the Librarian can put the card back in the catalog.
- Emptying the recycle bin is the Librarian throwing the card away. The book is still on the shelf and will remain there until another book needs the space.
- A wipe utility overwrites the space where the file was stored and effectively removes the file from the hard drive.
To ensure that the data has been fully erased we recommend that the data utility used overwrite the physical areas of the hard drive multiple times with varying patterns. To learn more Google “wiping utilities” or “data eraser”. I have used Webroots Window washer in the past and it seems to work fairly quickly.
Data Recovery Diagnositics
Data Recovery Diagnostics
This is intended to be a guideline for determining whether a hard drive is failing physically or if the drive is a candidate for software recovery by technicians in the field.
There are many commercial utilities that will allow users or qualified technicians to recover data from a hard drive that is otherwise inaccessible. Commercial utilities work with varying degrees of success. The question to be asked is when is it a good idea to use these utilities versus when is a good idea to send the hard drive to Data Recovery Group?
The first step is to determine if the hard drive is functioning. If the hard drive is functioning properly it should be recognized in the CMOS and you should be able to boot the system from another media source, such as a floppy, CD-ROM, or another hard drive. If there are any BIOS errors when attempting to boot the system the hard drive has malfunctioned and needs to be sent to Data Recovery Group. If during the boot process the system is unable to boot from an alternate media source, this is another indication that hard drive is malfunctioning. Further attempts to boot the system could seriously reduce the likelihood of a successful data recovery.
If the system can be successfully booted the next step is to attempt to run the data recovery utility. Most utilities work in the same way. The first step the data recovery utility performs is to scan the drive to locate the file system components. Most utilities will display this scan with some type of progress meter. It is necessary to monitor progress and to stay with the hard drive while the utility is operating. If the hard drive starts to make unusual noises stop the scan immediately and power down the computer. The hard drive will need to be sent to us. Another thing that needs to be watched is the rate of progress for the utility. Usually there will be a count of sectors read. The count should steadily increase and it should not stop. If the count or progress does stop the scan should be terminated and the computer powered down. Failure to stop could jeopardize the likelihood of a successful data recovery. The hard drive should be sent to Data Recovery Group.
If there are any signs that the hard drive is failing physically, it is important that software data recovery utilities not be used on the hard drive. Hard drives usually fail gradually and this failure process will be accelerated during a full scan of the hard drive necessary for most data recovery utilities to recover the data.
It is important to read the instructions provided with any data recovery utility you may use on a hard drive. It is important that if you can complete a scan of the failing hard drive that the recovered files are not saved back to the hard drive you are trying to recover. It is possible o save recovered files on the source drive and if this occurs the recovered files could overwrite other files you are trying to recover.
In conclusion, it is very important to determine if a drive has any physical failure before attempting to recover the data using a utility. Data Recovery Group has received many hard drives from customers where the data could have been recovered had we received the drive right after the original failure. Repeated attempts to recover the data with software rendered the drive useless and the data not recoverable.
Hard drives fail, always have & always will…
The ability to properly diagnose & temporarily restore a disk drive to operating condition is vital to the recovery of data. If you have experienced data loss, it is the result of a mathematical problem, a mechanical problem, an electrical problem or a combination of the three, and Data recovery Group is uniquely qualified to recover your data.
Seagate Warranty
In February 2007 Seagate wrote to data recovery companies informing us that effective February 15, 2007 that they would no longer honor the warrany Seagate and Maxtor hard drives if the seal had been broken on the drive. Prior to this letter, Seagate would honor their warranty if the seal was broken by a data recovery company to perform data recovery services. Read more…
Implications of New Rules
The Real Implications of the New Rules on EDD
By Scott Oliver
Special to Law.com
January 23, 2007
Effective Dec. 1, 2006, the Federal Rules of Civil Procedure were amended to provide definition, structure and predictability to electronic discovery. For many litigators, the rule changes represent a fundamental shift in the way we prepare for and manage the discovery of electronically stored information (ESI) for federal cases.
Changes to state rules are not far behind. In fact, several states, such as California, Maryland and New Hampshire, are in various stages of implementing rule changes. Similar changes are already in effect in Idaho and New Jersey. While the objectives of the new Rules are clear, the necessary steps to comply with them are not. This article examines the major FRCP rule changes and their real implications. It provides a roadmap for becoming compliant while controlling business risks and understanding how the new rules can be leveraged in the courtroom.
EARLY ATTENTION TO ELECTRONIC DATA DISCOVERY
Rules 16 and 26 were amended to provide the court with early notice of e-discovery issues. Specifically, Rule 16(b) now states that the scheduling order must include "provisions for disclosure or discovery of electronically stored information" and "any agreements the parties reach for asserting claims of privilege or of protection as trial-preparation material after production." Rule 26(f) requires that parties "discuss any issues relating to preserving discoverable information and to develop a proposed discovery plan." Before the new Rules, this plan was often communicated well into the litigation process, years afterward in some cases. But since these new requirements are now part of the initial "meet and confer", the time frame has been significantly reduced. Under Rule 16(b), parties must "meet and confer" at least 21 days before the scheduling conference (which must occur within 120 days after filing the lawsuit). The bottom line is that parties must define and share their e-discovery plans within the first 99 days of a case.
The real implication of this rule change is that the number of cases subject to rapid case assessment, litigation holds, evidence preservation and collection will increase significantly. Large U.S. companies are already concurrently managing 556 cases on average, with an average of 50 new disputes emerging each year.[FOOTNOTE 1] Moreover, due to the increased number of requests and the large amounts of data now categorized as discoverable ESI — e-mail being the most voluminous — these rules will significantly impact corporate resources and e-discovery processes. This will be especially challenging in e-mail-related cases, where the job of finding and sifting through repositories of e-mail is notoriously costly and timely.
To cost-effectively scale and meet the new timeline, technology must play a role in the discovery process to:
1. accurately analyze terabytes of data, enabling rapid early case assessment and ensuring litigation readiness; and
2. audit the current e-discovery process to ensure it’s cost-effective, predictable and defensible.
A defined, defensible e-discovery process will also be necessary for protection under Rule 37(f), the so-called "Safe Harbor Rule." The Rule states that "[a]bsent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation." Rule 37(f) may offer companies protection if ESI is lost, but only if a "routine, good faith" discovery process is well-defined, documented and followed.
KNOW WHERE THE RELEVANT ESI LIVES
With the new Rules, the first step in any litigation with e-discovery will be to identify all relevant data sources and formats. Rule 26(a) states that initial disclosures during the meet and confer include a "copy of, or a description by category and location" of relevant ESI. A critical requirement to comply with this rule is the ability to rapidly identify all relevant data sources of ESI. If additional sources are added after the fact, a judge can impose costly sanctions.
The real implications for Rule 26(a) is that litigants must inventory ESI, classify data and communicate time and cost estimates for its discovery. This cannot be done in silos — legal and IT departments must work together to understand the various forms of ESI, where they reside and how to access them.
An inventory of ESI will also help companies that seek protection from e-discovery costs under Rule 26(b)(2), "protection due to undue burden or cost." In fact, it would be impossible to seek protection under Rule 26(b)(2) without it. Rule 26(b)(2) was designed to handle the difficulties in discovering information by stating that a party "need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost." This might sound like available protection for ill-prepared companies but be warned — it’s not a panacea for all e-discovery issues. It’s widely accepted that business e-mail and documents — comprising the vast majority of company ESI — be readily accessible, so these type of documents won’t normally be protected by this rule. The key here is to make the e-discovery process as scalable and cost-efficient as possible using sufficient resources and available technology. Make sure you determine the best way to:
- Efficiently access corporate data sources where ESI is created, stored and archived (e.g., e-mail systems, networked storage, archives);
- Rapidly find, hold, analyze and produce only the relevant ESI for each case;
- Minimize e-discovery costs by centralizing ESI repositories over time;
- Send only the relevant ESI to requesting parties.
The combination of inefficient e-discovery processes and large amounts of ESI make the inadvertent transfer of privileged or otherwise protected ESI a real possibility. Don’t be lulled into thinking that Rule 26(b)(5), which provides a mechanism to "claw back" inadvertent transmission of privileged and protected ESI, offers suitable protection. That simply isn’t the case.
The real implication is that if inadvertent transmission does occur, it’s almost impossible to completely recover all trade secrets, intellectual property, privileged information, etc., resulting in potentially significant legal, business and financial risks.
This rule should serve as an alarm to the real risk of privileged information disclosure. Because of potential damages, take heed and only produce relevant and nonprivileged ESI. Utilize readily available technology to expedite the process by analyzing and "culling down" ESI from an initially large set to a much smaller, relevant, nonprivileged set for production. By performing more analysis up front in the e-discovery process, litigants not only protect themselves against transferring privileged information but significantly lower the cost of production.
SUPPORT NATIVE FORMATS FOR ESI PRODUCTION
Rule 34(b) was amended to determine how ESI is produced. The rule states that it’s the requesting party, not the responding party, which requests "the form or forms in which electronically stored information is to be produced." Rule 34(b)(ii) goes on to state that if the request does not detail the form(s) of production, the responding party must produce it "in a form or forms in which it is ordinarily maintained or in a form or forms that are reasonably usable."
The real implication is that we are likely to see an increase in requests to produce ESI in native formats because of the importance of searching and reviewing metadata. The knowledge gained from close inspection of ESI’s metadata, which is unavailable when ESI is produced as hard copy, can be extremely useful. For example, the date when a certain document was created or when an e-mail was forwarded can make or break a case.
CONCLUSION
The amended Federal Rules of civil Procedure dramatically change the way courts govern the use and discovery of ESI during litigation. As a result, e-discovery compliance is a subject that must be taken seriously — or invite serious consequences.
Technology is no longer a "nice to have"; with the rule changes it’s a "must have." The best solutions will be technology or services capable of analyzing and producing ESI in native formats. As an industry, we cannot afford to ignore the rising costs of e-discovery or view ESI investigations as an ad hoc fire drill. To effectively comply with the new rules and turn the tide of e-discovery costs, e-discovery must evolve into an efficient, accurate and predictable process.
::::FOOTNOTES::::
Scott Oliver is a partner at Pooley and Oliver LLP. Oliver specializes in the litigation and trial of patent, copyright and complex technology-related cases in state and federal courts, as well as before the International Trade Commission. Prior to joining Pooley and Oliver, Oliver was a partner with Gray Cary Ware and Freidenrich, specializing in intellectual property litigation. Oliver spearheaded his firm’s decision to implement the Clearwell E-Mail Intelligence Platform to automate its e-discovery process.
Law.com’s ongoing IN FOCUS article series highlights opinion and analysis from our site’s contributors and writers across the ALM network of publications.