Preservation of Evidence


If you are visiting this page then you have probably received a request from our firm to preserve evidence related to a claim on which we are working.  This is our initial request for the preservation of evidence related to a claim.

 

We request that all evidence related and even potentially-related to the claim be preserved.  This preservation request seeks to preserve the greatest possible amount of evidence related to the claim.  Please preserve all communications with our client, witnesses, and other persons and entities.  This request includes but is not limited to letters, emails, text messages, voice messages, or other forms of communication.  We request you preserve:

 

  1. All vehicles, vessels, bikes, and other real and personal property involved in, and related to the claim, in their unrepaired and unaltered state so we can inspect and record their condition;
  2. All audio and video recordings related to the claim;
  3. All documents, manuals, operating procedures, accident reports, and any other compilation of information without limitation that relate to or memorialize the claim;
  4. All audio and video recordings of the incident occurring in real time;
  5. All audio and video recordings of the area where the incident occurred for the twenty-four hour period preceding and following the incident; and
  6. All other item of evidence related and potentially-related to the claim.

We request you preserve all documents, tangible things and electronically stored information related to or potentially relevant to the claim.  You shall anticipate that much of the evidence we demand preserved is stored on current and former computer systems and other media and devices (including personal digital assistants, voice-messaging systems, online repositories and cell phones). Electronically stored information (ESI) shall be afforded the broadest possible definition and includes, but is not limited to, potentially relevant information electronically, magnetically or optically stored as:

 

  1. Digital communications (e.g., e-mail, voice mail, instant messaging)
  2. Cell phones text messages and cell phone photographs;
  3. Word processed documents (e.g., Word or WordPerfect documents and drafts);
  4. Spreadsheets and tables (e.g., Excel or Lotus 123worksheets);
  5. Accounting Application Data (e.g., QuickBooks, Money, Peachtree data files);
  6. Image and Facsimile Files (e.g., .PDF, .TIFF, .JPG, .GIF images);
  7. Sound Recordings (e.g.,.WAV and .MP3 files);
  8. Video and Animation (e.g., .AVI and .MOV files);
  9. Databases (e.g., Access, Oracle, SQL Server data, SAP);
  10. Contact and Relationship Management Data (e.g., Outlook, ACT);
  11. Calendar and Diary Application Data (e.g., Outlook, PST, Yahoo, blog tools);
  12. Online Access Data (e.g., Temporary Internet Files, History, Cookies);
  13. Presentations (e.g., PowerPoint, Corel Presentations)
  14. Network Access and Server Activity Logs;
  15. Project Management Application Data;
  16. Computer Aided Design/Drawing Files;
  17. Back-up and Archival Files (e.g., Zip, .GIlO);
  18. Social Networking sites (e.g., Facebook, LinkedIn, MySpace, etc.)

 

ESI resides not only in areas of electronic, magnetic and optical storage media reasonably accessible to you, but also in areas you may deem not reasonably accessible. You shall preserve all potentially relevant evidence from all sources of ESI, even if you do not anticipate producing such ESI.  You must identify all sources of ESI you decline to produce and demonstrate to the court why such sources are not reasonably accessible. For good cause shown, the court may then order production of the ESI, even if it finds that it is not reasonably accessible. Accordingly, even ESI that you deem reasonably inaccessible must be preserved in the interim so as not to deprive our client(s) the right to secure the evidence or the court of its right to adjudicate the issue.  You must act immediately to preserve all potentially relevant ESI and evidence.

 

Adequate preservation requires more than simply refraining from efforts to destroy or dispose of such evidence. You must also intervene to prevent loss due to routine operations and employ proper techniques and protocols to ensure preservation of all evidence and ESI.  Be advised that sources of ESI are altered and erased by continued use of your computers and other devices. Booting a drive, examining its contents or running any application will irretrievably alter the evidence it contains and may constitute unlawful spoliation of evidence.  Consequently, alteration and erasure may result from your failure to act diligently and responsibly to prevent loss or corruption of ESI and evidence.  Nothing in this demand for preservation shall be understood to diminish your obligation to preserve all ESI and evidence related to, or potentially related to the above-referenced claim.

 

You shall immediately place a litigation hold on all such ESI and evidence.  You shall further immediately identify and suspend all features of your information systems and devices that cause the loss of potentially relevant ESI and evidence. Examples of such features and operations include, but are not limited to:

 

  1. Purging the contents of e-mail repositories by age, capacity and other criteria;
  2. Using data or media wiping, disposal, erasure and encryption utilities and devices;
  3. Overwriting, erasing, destroying or discarding back up media;
  4. Re-assigning, re-imaging and disposing of systems, servers, devices and media;
  5. Running antivirus or other programs effecting wholesale metadata alteration;
  6. Releasing and urging online storage repositories;
  7. Using metadata stripper utilities;
  8. Disabling server and IM logging; and
  9. Executing drive and file defragmentation and compression programs.

You shall anticipate that your employees, officers or others may seek to hide, destroy or alter ESI and evidence and prevent and guard against such actions.  Especially where machines have been, or are used, for Internet access or personal communications, you shall anticipate that users may seek to delete or destroy information they regard as personal, confidential or embarrassing and, in so doing, may also delete or destroy potentially relevant ESI and evidence.

 

You shall prevent anyone with access to your data, systems and archives from seeking to modify, destroy or hide electronic evidence on network or local hard drives (such as by deleting or overwriting files, using data shredding and overwriting applications, defragmentation, re-imaging or replacing drives, encryption, compression, steganography or the like).  With respect to local hard drives, one way to protect existing data on local hard drives is by the creation and authentication of a forensically qualified image of all sectors of the drive.  Such a forensically qualified duplicate may also be called a bitstream image or clone of the drive.  Be advised that a conventional back up of a hard drive is not a forensically qualified image because it only captures active, unlocked data files and fails to preserve forensically significant data that may exist in such areas as unallocated space, slack space and the swap file.

 

With respect to the hard drives and storage devices of each of the persons named below and of each person acting in the capacity or holding the job title named below, as well as each other person likely to have information pertaining to the instant action on their computer hard drive(s).  You shall immediately obtain, authenticate and preserve forensically qualified images of the hard drives in any computer system (including portable and home computers) used by that person as well as recording and preserving the system time and date of each such computer.  Once obtained, each such forensically qualified image should be labeled to identify the date of acquisition the person or entity acquiring the image and the system and medium from which it was obtained.  Each such image shall be preserved without alteration.

 

You shall anticipate that certain ESI and evidence, including but not limited to spreadsheets and databases, will be sought in the form or forms in which it is ordinarily maintained. Accordingly, you shall preserve ESI and evidence in such native forms, and you shall not select methods to preserve ESI and evidence that remove or degrade the ability to search your ESI by electronic means or make it difficult or burdensome to access or use the information efficiently in the litigation. You shall refrain from actions that shift ESI from reasonably accessible media and forms to less accessible media and forms if the effect of such actions is to make such ESI not reasonably accessible.

 

You shall further anticipate the need to disclose and produce system and application metadata and act to preserve it. System metadata is information describing the history and characteristics of other ESI.  This information is typically associated with tracking or managing an electronic file and often includes data reflecting a file’s name, size, custodian, location and dates of creation and last modification or access. Application metadata is information automatically included or embedded in electronic files but which may not be apparent to a user, including deleted content, draft language, commentary, collaboration and distribution data and dates of creation and printing.  Metadata maybe overwritten or corrupted by careless handling or improper steps to preserve ESI for email, metadata includes all header routing data and Base 64 encoded attachment data, in addition to the To, From, Subject, Received Date, CC and BCC fields.

 

With respect to servers like those used to manage email (e.g., Microsoft Exchange, Lotus Domino) or network storage (often called a user’s “network share”), the complete contents of each user’s network share and e-mail account shall be preserved.  There are several ways to preserve the contents of a server depending on, for example, its RAID configuration and whether it can be downloaded or must be online constantly.  If you question whether the preservation method you pursue is one that we will accept as sufficient, please call us.

 

You shall also determine if any home or portable systems may contain potentially relevant data.  To the extent that officers, board members or employees have sent or received potentially relevant e-mails or created or reviewed potentially relevant documents away from the

 

office, you must preserve the contents of systems, devices and media used for these purposes (including not only potentially relevant data from portable and home computers, but also from portable thumb drives, CD-R disks and the user’s PDA, smart phone, voice mailbox or other forms of ESI storage.), Similarly, if employees, officers or board members used online or browser-based email accounts or services (such as AOL, Gmail, and Ymail) to send or receive potentially relevant messages and attachments, the contents of these account mailboxes (including Sent, Deleted and Archived Message folders) shall be preserved.

 

You shall preserve documents and other tangible items that may be required to access, interpret or search potentially relevant ESI, including logs, control sheets, specifications, indices, naming protocols, file lists, network diagrams, flow charts, instruction sheets, data entry forms, abbreviation keys, user ID and password rosters or the like.  You must preserve any passwords, keys or other authenticators required to access encrypted files or run applications, along with the installation disks, user manuals and license keys for applications required to access the ESI.  You must preserve any cabling, drivers and hardware, other than a standard 3.5″ floppy disk drive or standard CD or DVD optical disk drive, if needed to access or interpret media on which ESI is stored.  This includes tape drives, bar code readers, Zip drives and other legacy or proprietary devices.

 

Hard copies do not properly preserve ESI, electronic search-ability, and metadata.  Hard copies are not an adequate substitute for, or cumulative of, electronically stored versions.  If information exists in both electronic and paper forms, you shall preserve both forms.  Your preservation obligation extends beyond ESI and evidence in your care, possession or custody and includes ESI and evidence in the custody of others that is subject to your direction or control, or with whom you are associated with on the above-referenced claim.  Accordingly, you shall notify all current or former agent(s), attorney(s), employee(s), custodian(s), investigator(s), insured(s), adjuster(s), and contractor(s) in possession of potentially relevant ESI and evidence to preserve such ESI and evidence in full compliance with this request.  You shall make all necessary efforts to ensure such compliance.

 

You shall take forensically sound steps to preserve all ESI and evidence from service and properly sequester and protect it.  Failure to do so poses a significant threat of spoliation.  “Forensically sound” means duplication, for purposes of preservation, of all ESI, evidence, and data stored on the evidence media while employing a proper chain of custody and using tools and methods that make no changes to the evidence and support authentication of the duplicate as a true and complete bit-for-bit image of the original. A forensically sound preservation method guards against changes to metadata evidence and preserves all parts of the electronic evidence, including in the so-called ”unallocated clusters,” holding deleted files.  If you have any questions about your obligation or ability to preserve any evidence then please contact us immediately to discuss the issue.

Shares 0

bottom-banner.png