Beyond the What - Getting to Why by Steve Ellwood

Knowing "What" is important.  It is a 'necessary but not sufficient' condition to take a page from our mathematician friends.  It is finding out the "Why" that is reason for our investigations.  And yet so many investigations stop short and simply present the "What".

Let me explain.

There are two approaches to an investigation.  

The first is most common - recover the evidence then list details of the found evidence.  Turn it over and look at it, note its characteristics, determine where is was found...  In the world of the 5 "W"'s, this investigation is the "What" part.

Most digital forensic reports that I have read in the last decade spend all of their time on the "What".

This image was created on Wednesday December 12 2014 at 10:03am local time.

This document was found in the Recycle Bin of the c: drive of the Computer.

This email was sent to Sally Jones by Bob Smith - content provided below.

And despite there always being hundreds and sometimes thousands of pages to these reports - these "What" reports - the reader is left to their own devices to figure out the other "W"'s for themselves.

At the end of the tomes, you can feel the authors slapping the dust off their hands and hear their self-congratulations for a job well done.

But these reports and these investigators have missed the point.  Data without interpretation is "noise".

Our approach takes a larger view.  Of course we have "What", but we add Who, When, Where and How.  

"Who, When, Where and How" are more than just a subset of "What".  

Dropping the sender's name and email address, along with the date and time the email was sent and reporting that it came from Microsoft Outlook 2010, into the report that presents the 'email' is really just more "What" reporting.  It is easy and if that's all that is provided, it is lazy.  It is not analysis.

Analysis comes from taking these aspects of "What" and putting them into context.

Profiles of the evidence that originates with a specific party, their emails, documents, web browsing history show who they are, what they are up to.  An analysis of the channels of communication, calls, texts, emails, chats, between two parties can give insight into who is influencing who - whose idea was this "hare brained" scheme anyway?

Communication patterns can uncover the "master mind".  Sure we might have the data from 6 of the parties.  But a pattern analysis based on a theme can demonstrate perhaps that a seventh person, perhaps missing in the evidence, was the leader of the development of the idea.  Presenting this graphically, and adding the dimension of time, can vividly show the evolution of the idea and point clearly to their "promoter".

One of the most powerful techniques we use comes from the eDiscovery world and before that from the paper evidence world.  Our lawyers always want a timeline.  Put the documents in chronological order please - every time.

Why do they want that?  Because, while the document itself is important - it's "What", the dimension of time is what tells the story.  It is not sufficient to know Winnie-the-Pooh's height, weight and circumference and that of Rabbit's rabbit hole entrance to appreciate Pooh getting stuck in the door.  We need the story.  And we need it to be accurate, complete and consistent if we are going to entertain or, more importantly, persuade the listener.

With digital investigations the data replaces the 'documents' in the eDiscovery story.  Of course, documents make up part of the digital evidence, MS Word documents, PDF files, email - the traditional 'documents' are found on computers and mobile devices and cloud stores - but they are all still documents in the eDiscovery/Paper world.  But there is so much more information to be had in the "data" from a digital investigation.

For a start, there is the "simple stuff".  In many cases a "business letter" has a date written on the first page.  In the eDiscovery/paper world that's the date that is used to place this bit of evidence in the timeline.  This is a valuable piece of information and must be captured. But…

When we recover that business letter from a digital storage media, like a USB thumb drive or a hard drive in the laptop or off a file server, we get so much more.  

A Word document has a "creation date" - when the file was either first drafted or when the file was copied to the data storage volume (call it a drive letter) where it was recovered from.  

It also has a last modified date.  When was the file last saved - perhaps think of this as the date of the final version stored on the hard drive.

Right off the bat we have three dates - the letter's date on the first  page, the creation date and the last modified date.  Are all three important? They might be very important.

Placing this information about the document in a time line might show that (a) the letter was started three weeks BEFORE  the date on the first page of the letter.  (b) the date the letter was last edited was 2 months AFTER the date on the first page of the letter.  Was the letter genuine?  Can we learn about the thinking process, dare we say "intentions", of the author knowing it was started weeks before and last modified months after it was dated?

If we don't have this information available in a timeline, we can't see anything but the date on the first page - we are potentially misled and the true events are missed.

Digital evidence provides far more insight than this simple example.  With regard to a Word document we can usually determine when the document was last printed, who the author was, how many minutes the document was worked on and much more.

For some, we might be too far into the technical weeds already.  You don't need to understand that a the area of a circular rabbit hole can be calculated as "Pi*r^2" to appreciate the story of Pooh getting stuck. 

For the story to exist at all you need someone to point out that the hole is too small for Pooh.  The work of the digital investigator is to provide that context.

Computers and mobile devices are machines and everything they do leaves a trace.  Unlike humans who can sit quietly thinking computers can't compute without instructions, without logging the actions they are made to take, without leaving behind a happy hunting ground of evidence.

Are these elements of evidence "documents"?  No, not in the traditional sense.

They are, nonetheless, substantial, reproduceable, evidence. 

When was the computer turned on?  Who logged in?  What did the user of the computer do first?  Web browsing - to what sites?  What did they search for?  Did the user delete any documents?  Which documents?  From where?  Was a USB memory key inserted into the laptop?  Can it be identified?  What was copied to it?  When?  Did they save an Excel spreadsheet, what time?  What spreadsheet? Did they open Facebook and start an online chat?  With who?  What was said?

And on and on, nothing for miles and miles but tall grass and weeds.

We integrate all of this data into a Grand timeline.  Sometimes for just one user, sometimes for a group of users across different devices.

Much of it is not relevant.  "Hi mom, I'll come see you on Saturday".  While other events might be vital, user SmithB copied the "Master Contact List.doc" file on Wednesday 5:10pm to a USB stick labelled "Bob's Stuff".  Our machete, guided by our understanding of the case, working closely with counsel, cuts a path. 

It is our view that digital forensics is about providing this context and assisting counsel in sorting out all the data to provide meaning not just of the documentary data but of the actions taken by users.

What about "Why"?  

"Why" is the important part. 

Once you have established the other "W"'s and the "H", "Why" is the difference between winning the case and losing it.

Pooh ate too much honey.  That's why he got stuck in Rabbit's doorway.

We know the events, the arrival, the reluctant invitation, the eating from one honey pot after another after another, the departure.  The problem arises from the timeline of events.  The solution also is shown in the timeline.  What did people, or animals I suppose, do?

The story flows from the data.  The why is much easier to understand and explain in the context of a timeline.

Pooh LOVED honey and he had little self-control.  Given the events told as a story, everyone accepts that was the cause.

When your case has a bear stuck in a door consider asking us to help you reach the "Why", efficiently.

Spoliation or The Unbearable Lightness of Destroying Evidence by Ronald Davis, JD




The intentional concealment destruction, alteration or mutilation of evidence, usually documents making them unusable or invalid.

- The Law Dictionary



You’d think destroying evidence would be a no-brainer no-no. If someone shredded a file cabinet’s worth of documents while they were in the middle of a lawsuit, a reasonable person would expect the litigant to suffer consequences. A reasonable person would expect a judge to say:

“You destroyed evidence. We can’t know what you destroyed. Maybe it was relevant to this case. Maybe it wasn’t. But now we can never know. So I am going to hold that against you. I am going to presume the destroyed evidence would have hurt your case. This will be one of many factors in my decision. But it will be a strike against you. I will make an adverse inference against you.”

So why does it seem to be that when it comes to destroying digital evidence, litigants can get away with it?

That’s the unfortunate impression we are left with when we read the Ontario Superior Court of Justice’s decision in Nova Growth Corp. et al v. Andrzej Roman Kepinski et al. 2014 ONSC 2763 (CanLII)

It’s a long decision, but the part that deals with spoliation is relatively short. It begins at paragraph 288.

To summarize and simplify, the plaintiffs in this multi-million dollar case complained that the defendants had erased digital evidence. They asked the judge to make an adverse inference against the defendants. The judge rejected the plaintiffs’ request. He found there was no spoliation.

We see all sorts of problems with the decision. The judge, in our opinion, does not appear to grasp correctly either the law about spoliation or the technological details of the evidence before him. But we won’t go into a full analysis here.

The main lesson to draw from the decision is this: when there are signs that digital evidence has been destroyed, it is not enough to have a forensic expert do an analysis of the digital media in question. The analysis has to be prepared and presented in a way that addresses all of the elements of spoliation in a way that the court can understand. It has to cover not only the technology but the law as well. And it has to be lawyer-friendly and judge-friendly.

In other words, the forensic analyst needs to be law savvy. The lawyer directing the analyst needs to be technology savvy. And they both need to be courtroom savvy.

Of course we at ellwood Evidence would say that, because that’s just what we’re about: being law savvy, technology savvy, courtroom savvy.

But we see the fundamental problem with the decision in Nova Growth Corp. et al v. Andrzej Roman Kepinski et al. as being a failure to combine those three elements.

No one disputes that it is wrong to destroy evidence. But when it comes to digital evidence, it seems that lawyers and the courts still have a way to go in coming to grips with digital spoliation.

The Latest on the 4 Letter Word You Need to Know: EDRM 3 by Ronald Davis, JD

Not long ago we wrote about the EDRM - the Electronic Discovery Reference Model - and explained why anyone involved in litigation - lawyers and clients alike - needs to know about it. That’s still true. So, if you haven’t had a chance to read the piece, you can do so here.

When we posted the article, the EDRM was in its 2nd version. Recently, the 3rd version came out. It builds on version 2, and adds an interesting twist. We thought we would update you.

First, a reminder of what EDRM 2 looked like:

Now EDRM 3:

There are three obvious changes between EDRM 2 & 3:

  • The “Information Management” square has become the “Information Governance” circle

  • The line at the bottom linking “”Presentation” to “Information Governance” is thicker

  • The terms “VOLUME” and “RELEVANCE” are more prominent

Here, from the EDRM website is the explanation of these three modifications:

The leftmost item in the model has been renamed “Information Governance” and its shape has been changed from a rectangle to a circle. These edits better align this diagram with EDRM’s Information Governance Reference Model (IGRM). The adoption of a circle also is meant to show that every well-managed e-discovery process should start and end with sound information governance.

In addition, the line from Presentation to Information Governance has been widened. This emphasizes that no e-discovery process is fully completed – no matter at what stage it stops – until it has been looped back to IG.

The final update to the diagram is the increased size of the words “VOLUME” and “RELEVANCE” in the bottom corners of the diagram. This change draws greater attention to the two core objectives driving most e-discovery projects.

In a nutshell, EDRM is telling us to pay more attention to information and how it is handled. We all need systems in place to store, track, manage and, if necessary, retrieve the data. We need to be on top of of how and where data is created, how and where it is stored, how and when it is deleted, and who oversees all the processes.

The EDRM has a useful infographic outlining the elements of Information Governance:

The EDRM’s message is welcome, if overdue, given that individuals and organizations alike are creating and storing more and more data every year. More than ever, EDRM is a four letter word they need to know.


Tips on e-Discovery from One Who Knows: Michelle Nash by Ronald Davis, JD

We at ellwood Evidence are proud of our team. The quality and range of skills make us really good at what we do.

From time to time, however, we team up with some of the best people working in the litigation technology space. One of those people is Law Clerk extraordinaire Michelle Nash, President of M. Nash Consulting.

With 28 years’ experience in the litigation world, Michelle can do just about anything. One special area of her expertise is e-Discovery. Over the years, Michelle has mastered, as few have, the intricacies of collecting, preserving and processing electronic documents.

We were recently working on a case with Michelle. She exchanged with us her insights on conducting e-Discovery successfully. e-Discovery is a complex process, but these tips from Michelle can make it simpler and ensure its effectiveness.

Over to you MIchelle:

The Litigation Hold

  • My first question when I’m hired is always: Have you sent out your litigation hold letter?

  • The letter should be sent out as soon as the retainer is signed. This is often not the case.

  • I also ask these questions of each potential custodian:

    • Are you aware there is a litigation hold in place?

    • Do you know what this means?

    • When did you become aware of it?

    • Are you following the litigation hold?

  • I remind the lawyer to send out a follow up letter throughout the litigation process, reminding the client that the litigation hold is in place until completion of the litigation.

  • Watch out for this: People come and go from organizations, and often the need to retain data is not passed on to new hires. This is especially important to keep in mind for IT departments.

  • When the case is over, don’t forget to notify everyone that the litigation hold is lifted.

Identifying the Custodians

  • Identify whom you need to start speaking with.

  • Once I know which potential custodians I need to start interviewing, my list always grows.

  • I like to know the workflow process within every organization.

    • Who reports to whom.

    • What data is created in the work flow.

    • What data results from the workflow process.

  • Let the client know that, in doing the interviews, you are pre-culling data sources and identifying keyword search terms that will save them money in the long run, as you can make your data collection more focused, and ensure that the keyword search terms are refined enough to limit the amount of false positive hits.

  • Be prepared to explain why (a) you need to interview new custodians whom the client was not aware of, and (b) the role that new custodian played.

The Key Player List

  • Review the pleadings to come up with a key player list (includes name, company, title, comment (including the role the individual played and who they interacted with), reference to pleading paragraph, identified email addresses, possible data sources, collection date).

  • Speak with the legal team after giving them the first draft of the key player list. Then speak with a contact at the client's office to get them to fill in other people involved who may not have been mentioned in the pleadings. Never forget that behind every good executive is usually an executive assistant who drives everything and is a huge potential data source.

  • The list allows the legal team to have a quick reference throughout the litigation. It is a great cross-examination tool for the legal team when productions are exchanged.

  • The list is an ongoing work in progress. I update it throughout the process.

  • Get the client's understanding of the opposing parties’ key players, and the relationship of those players to the client's own people.

Self collection

  • Don’t do it.

  • A law clerk should never collect data. Staff should never collect data. The in-house IT staff should never collect data.

  • If the client self-collects, the entire team is open to cross-examination on why and how the data was collected.

  • Staff often know too little about the technology and architecture behind a proper collection, but way too much about a company’s proprietary processes. When the barn door opens on cross-examination, everything is open to scrutiny.

Search Terms

  • I like to come up with a cursory list of keyword search terms early in the case.

  • Along with the search terms, I create what I call my "and not these" terms, as well.  No matter how careful you are in creating your list of search terms, you will always have false positive hits that will require culling, so the “and not these” terms track what you are culling out of the collection and why you are culling them.

  • The list is always a work in progress. The keyword search terms need to be tested and revisited at an early stage in the data collection process, to ensure they are not too broad nor too narrow.

  • I cross-reference the keyword search terms with the pleadings, so that if anyone disagrees with the suggested search terms, I can point them to a specific reference.

  • The list must be defensible.

  • The culling terms must also be defensible.

  • Inevitably, you get false positive and false negative hits. You need to be able to answer for them.

Date Range

  • The date range of relevant data is also important to determine prior to collection. There may be different ideas about when the relationship between the parties began, and when litigation was anticipated.

  • Start out as broadly as possible in the date range, narrow down in culling. You do not want to have to go back and re-collect!

Don’t Forget the Paper

  • We sometimes forget that paper is still generated, despite the fact that we work in a digital world.

  • I like to keep track of what actual paper is generated and what happens to it.

  • Many a case is won or lost on handwritten notations on a paper document.

Digital Evidence, Departing Employees, Overdue Awareness by Ronald Davis, JD

A recent Law Technology News article by Vancouver journalist/lawyer Marlisse Silver Sweeney focuses on gathering digital evidence from departed employees.

Now, best practice demands that employers have a protocol for gathering digital evidence at the moment an employee leaves. Otherwise, the ex post facto gathering of evidence is closing the barn door after the horse has left.

But, setting aside this concern, the main point of Ms. Sweeney’s piece is that ex-employees will likely have data - i.e. digital evidence - in more places than the obvious ones.

Read More

Electronic Evidence's Best Kept Secret by Steve Ellwood

Don’t let the gawky handle fool you. CGSB-72.34-2005 is hugely important. It’s the document from the Canadian Government’s Canadian General Standards Board (i.e. the CGSB) titled *Electronic Records as Documentary Evidence*, and the standards it sets out apply to everyone. Public sector, private sector. For profit, not for profit. People, corporations.

Read More

Holding Down the Fort by William Ellwood, EnCE

In the closing scene of Butch Cassidy and the Sundance Kid, the titular duo is trapped in a farmhouse, surrounded by the Bolivian army and dreaming of far off Australia, where both banks and the armed forces are pushovers.

Our heroic duo’s hideout has only one door, no other apertures. This is a blessing and a curse: as they plot their escape, bullets can’t whiz through windows and cause chaos within.  But their opponents can centre their focus on that single point of exit.

Read More

The Invader in Your Pocket: The Android Phone and Stealth File Copying by Steve Ellwood

Lucky me. I just got the latest and greatest whizbang Android phone, the Samsung Galaxy S4.  It comes with a slot for a memory card, so I bought a $60 64GB little chip, and slid it in.  Cool.

 I spend another $1.38, and bought a little application that allows the wireless file transfers to my phone, from any computer with a web browser. How convenient.

Convenient, yes. But also SCARY. I’ll tell you why.

Read More