eDiscovery mistakes youshould skip

eDiscovery mistakes youshould skip

by Eric Robi on July10th, 2012
in Blog, Electronic Discovery, ESI

As I’m writing this article somewhere in a law office a lawyeris preparing a document production using Microsoft Outlook as a discovery tool.

“NATIVE” EMAILPRODUCTIONS FROM OUTLOOK

How is that? Well lawyers doing “native file” productions get acopy of the Outlook file, the mail box file with the extension .pst fromcustodian’s computers or from their client’s Exchange servers. (Sometimes theyobtain a .ost file, which is an offline store that is similar to a .pst). Theycopy the .pst file to their computer and open it within their copy of MicrosoftOutlook (the program they use to read their own email). They then read throughthe emails using Outlook and delete the files that are either not responsive orprivileged. If the file is very voluminous they use the search tools in Outlookto look for documents. They save the .pst file and make a native fileproduction in the form of a .pst to their opponent.

Oops. DELETED EMAILS DON’T MAGICALLY VANISH

The lawyer who did that made a huge mistake. A .pst file is adatabase file that we refer to as a container file. Like a zip file, the .pstis the container that holds the individual email messages. When an email isdeleted from the .pst, it’s content is still present in the container. It nolonger shows in the index so it isn’t visible, but it is still there. Sometimesthe .pst gets compacted before it gets produced and the deleted emails actuallygo away. Sometimes they do not. Therein lies the problem.

When we, or other ediscovery vendors receive email in the form of .pst files,our common practice is to ingest it into a processing platform. This can causeindigestion for the producing party. At Elluma we use eDiscovery tools such asIntella or Nuix. When those programs process email, they read the emaildifferently from how it appears in Outlook. Many items that were deleted emailare recovered in those processing tools.

Sometimes the email that is recovered is privileged email that we should nothave received. In California we have an obligation to notify counsel and toreturn the inadvertently produced email. Sometimes the email that is providedis not privileged, but outside what was specifically requested. And sometimesthat email opens up new avenues of inquiry.

RECOVERING DELETEDEMAILS IS TRIVIAL

You can see for yourself how easy it is to recover deletedemails from an outlook .pst. Take a .pst file and delete a few emails. Locatethe .pst file and open it using a hex editor. There are a number of freewarehex editors available on the web. I usually use an editing program callednotepad++. Locate bits (bytes?) seven through twelve (7,8,9,A,B,C) and changethem each to 00 then save the file. Then find the Microsoft utility calledscanpst.exe that is located on you hard drive. Put the altered .pst file intothe same folder as scanpst, and double click on scanpst.exe. This will “fix”the .pst file. When that is done open the .pst in Outlook. You will find thedeleted files back where they were before you deleted them.

What alternatives are there for producing native files? Well, there areutilities that can export individual message files from a .pst and produce theindividual messages. However, those tools alter critical message metadata.

CALIFORNIA BAR ETHICS OFPRODUCING FROM OUTLOOK

In California the State Bar Ethics Committee has addressed theissue of attorney competence in the context of using technology:

Many attorneys, as with a large contingent of the general public, do notpossess much, if any, technological savvy. Although the Committee does notbelieve that attorneys must develop a mastery of the security features anddeficiencies of each technology available, the duties of confidentiality andcompetence that attorneys owe to their clients do require a basic understandingof the electronic protections afforded by the technology they use in theirpractice. If the attorney lacks the necessary competence to assess the securityof the technology, he or she must seek additional information or consult withsomeone who possesses the necessary knowledge, such as an informationtechnology consultant.