When it’s absolutely necessary to preserve metadata, and I assume if you are reading this it most likely is, then one should take care.
We have shown that moving a file, emailing a file and even opening a file has the potential to change both File System and Application level metadata. We have also show that it may take some effort to alter the author but also how the author can appear as George Bush. The bottom line is that tools do exist to assist with the preservation of metadata. It’s also true that if you know the pitfalls and what not to do or when to do it you are far ahead of the game.
How To Properly Preserve Metadata
Is it necessary to call in a forensic or collection expert when litigation rears its ugly head?That answer depends on a lot of factors, but knowing the factors that go into making that decision is of utmost importance.
During internal investigations, counsel might advise the IT department collect evidence for cost-savings but this could ultimately destroy the case. Download this on-demand webinar to learn a more defensible protocol for legal and IT departments during corporate investigations.
Forensic and collection experts frequently create forensic image files to protect the metadata, both File System and Application. Think of an image file as a cocoon or a chrysalis.
Digital forensic experts also use hardware devices called write blockers to ensure no data can be changed when accessing media. Simply connecting a drive to a computer or booting a computer with an evidence drive attached can have an irreversible effect and modify hundreds of files, if not all the files, on a drive.
Metadata is fragile and sometimes difficult to interpret. Create date does not always equate to the date the file was actually created. Moreover, the create date at the File System level may not match the create date in the Application itself. The author field can be changed with a few clicks of the mouse.
So how can one be sure when a document was created and who created it? For the most part we can lean towards believing what we see until there is a reason to question that belief. We also have the benefit of forensic investigative techniques that help determine actual dates and other information if the validity is ever questioned. Just don’t believe everything you see and if you do I have a bridge in Brooklyn to sell you.
Consequences of Spoliating Metadata
Bad things happen to good lawyers. When it comes to metadata, one of the worst things that could happen is the failure to properly preserve that metadata when it really matters, such as: (1) when metadata is required to be produced during discovery, (2) when metadata contains potentially exculpatory evidence, regardless of whether or not it is required to be produced, and the authenticity of evidentiary ESI is called into question.
As we’ve discussed, metadata may contain specific dates, times, and other information about a specific file or events occurring within an operating system. But how does this become relevant to litigation, and how can the spoliation of metadata lead to sanctions, or worse?
We can break this issue down to two core categories: The first category is where metadata itself may be responsive to a discovery request; and the second category is where metadata is not responsive to a discovery request, but may be used in connection with determining authenticity of ESI.
When Metadata is Responsive to a Discovery Request and its Production is Required
Under the first category, we have metadata that is kept in the usual course of business and is responsive to a discovery demand.
Let’s start with hypothetical CASE “A” before a Federal Court in which the facts at issue include determining who wrote a series of documents, and on what date and time those documents were created, modified, printed, saved, etc.
The Plaintiff in CASE “A” was to issue a discovery demand to Defendant for “all ESI in Defendant’s custody or control related to ___ .” And furthermore, let’s say that Plaintiff’s demand included instructions, pursuant to Federal Rules of Civil Procedure 34(b)(1 )(c), that all responsive ESI was to be produced by Defendant “in native format, with metadata attached.”
When Defendant sent its IT staff to collect the responsive ESI from its computer systems, the IT staff did not use proper procedures and technology to ensure that both the file system and application metadata was unaltered during the collection.
As a result, the metadata has been spoliated, Defendant is unable to meet its production obligations, and Plaintiff is likely to seek monetary and nonmonetary sanctions against Defendant.
When Metadata is Not Responsive, but Necessary to Prove Authenticity of ESI
In the second category, we have metadata that is not necessarily responsive to a discovery demand, but for which the authenticity of the ESI is key.
Let’s jump into hypothetical CASE “B” in which the facts are fairly straight forward, and the real issue is whether certain ESI propounded by each party as evidence, such as an email message is authentic. Plaintiff claims to have a print out of a memo containing allegedly derogatory comments that was reportedly printed out by a former co-worker and given to Plaintiff. Defendant asserts that Plaintiff falsified the memo, and that Defendant has the original memo which did not contain any of the allegedly derogatory comments.
As happened in CASE “A”, when Defendant sent its IT staff to collect the memo from its computer systems, the IT staff did not use proper procedures and technology to ensure that both the metadata for the memo was unaltered during the collection. Again, the metadata has been spoliated. However, in CASE “B” when Defendant attempts to introduce the supposed original memo into evidence, Plaintiff ’s objects and provides an expert to show that the metadata associated with that original memo does not match the dates of that email, calling into question the authenticity of Defendant’s key evidence.
As a result, Defendant is unable to introduce its otherwise exculpatory evidence, and Plaintiff, who has the former coworker as a supporting witness, wins.
Metadata can help a party tell its story to the jury. However, metadata can also tell a story you don’t want the jury to hear, such as how dates and times of evidence do not match up with witness statements. At the end of the day, even inadvertent spoliation of metadata can ruin your entire case. So handle your metadata with care.