Looking Beyond E-mail: Alternate Forms Of Communication And Their Impact On Electronic Discovery

Thursday, November 1, 2007 - 01:00
Jerry F. Barbanel

When producing electronic discovery to turn over to the opposing party, it is imperative to be knowledgeable of the dangers of potentially missing relevant data during the standard forensic collection process. It is commonly believed that when a preservation order specifies "electronic communications," the order is referring to e-mail. However, there are a number of other forms of electronic communication that may exist on a custodian's computer that could possibly be overlooked.

One form of electronic communication that continues to gain in popularity is "instant message" communications, also known as "chat" communications. Such communication software includes Yahoo! Messenger, MSN Messenger, Google Talk, AOL Instant Messenger and Skype. Counsel must be aware of the fact that instant messaging, a real-time communication between two or more parties, travels across a company's network including the Internet, to another computer. Although companies have policies that prohibit the use of such software, it is not uncommon for employees to install it on their corporate computers and use it on a regular basis.

Unlike e-mails that are stored on a company's server and backed up to an archive, chat communication is not captured by a company's network infrastructure. Typically, chat communications can only be found on the user's computer. Unless the company's IT department has specialized network software designed to intercept these types of communications, this data will not be archived.

It is becoming more common for instant messaging programs to allow a user to activate the logging of chat communications. The length of time chat communications are retained on the hard drive varies based upon the software and user's configuration. Chat logs themselves may be stored in either plain text or an encrypted form. If the data is stored in an encrypted form, then any searches performed on that data set will have negative results due to the encryption. These logs must be decrypted before being searched. Yahoo! Messenger is among those software programs with encrypted logs.

Additionally, individuals that use chat software can transfer files to other computers similar to an e-mail attachment. This activity is not archived by the company's network, unless specialized software is in place to intercept it. In matters involving the theft of intellectual property, recovery of chat communications (including file transfers) can prove to be invaluable evidence.

Issues involving the infringement of intellectual property, facilitated by the use of chat software, are becoming more common. One common scenario involves a key employee leaving a company to work for a major competitor. After the employee's departure, the company becomes concerned that the former key employee misappropriated their intellectual property. A forensic specialist is retained to search the former employee's computer for evidence of possible wrongdoing. If counsel requests a specific keyword search of the hard drive, it may provide negative results as the data might have been stored in an encrypted chat log. It is in the company's best interest for the forensic expert to look for chat logs and decrypt them if necessary. The forensic examiner must also review the logs for relevant information.

Short Message Service, also known as "SMS" or "text messaging," is yet another form of electronic communication that is frequently overlooked in electronic discovery.Individuals can use chat software installed on their company's computer to send an SMS message to a mobile phone user. If the user is logging the chat communication, it may include the entire SMS message. Depending on the type of chat software being used, SMS messages may also be encrypted.

When a trained computer forensic expert is trying to uncover online communications, the first step is to determine if any chat communication software has been installed. Once the installed software is identified, the forensic specialist examines the configuration of that software to determine user names, address books (e.g., friends or buddies lists) and chat log settings. Chat log settings reveal whether the logging is enabled, as well as the duration of the logs. The forensic examiner next identifies all of the logs and attempts to recover deleted logs using sophisticated forensic software.

Another communication of significant importance is Voice over Internet Protocol (VoIP) technology. This technology enables a computer to function as a telephone with the use of a headset and microphone. Any telephone calls made or received using this method are not recorded unless the user has configured software to record the communications. If a company does not have the appropriate software in place to capture these voice communications, the calls will not be archived on the organization's network. Prior to installing any network monitoring software, there are legal implications that must be considered to avoid potentially violating any laws or regulations.

When using VoIP technology, an individual may also store voicemail messages on the company's computer. The voicemail is digitally recorded and stored as a file. Skype is among the most popular VoIP programs currently being used.

Fax communications can be directly sent from and received on a company's computer. These faxes can be sent and received via a computer and can be stored in a non-searchable proprietary format, similar to a TIFF image. Although viewed as a convenience, more and more frequently this software is not in compliance with a company's policies, and use of such unauthorized software is often times strictly prohibited. During the forensic collection phase of electronic discovery, these faxes may be overlooked because no one was aware that the user installed and configured the fax software on to their computer.

Through thorough interviews of key custodians, counsel and their computer forensic expert can gain crucial insight into what third-party software has been installed and used on company computers and determine if relevant data exists that needs to be captured, processed and produced. By knowing what to expect during the forensic collection, counsel cannot only expedite the process, but also greatly reduce the potential for spoliation issues.

Jerry F. Barbanel is the Executive Vice President in charge of IT Risk and Litigation Consulting for the Financial Advisory and Litigation Consulting Services practice at Aon Consulting. Mr. Barbanel can be reached at (201) 966-3494 or jerry_barbanel@aon.com. Bruce W. Pixley is a Senior Director in charge of the West Coast Computer Forensics group at Aon Consulting. Mr. Pixley can be reached at (805) 298-0031 or bruce_pixley@aon.com.

Please email the authors atjerry_barbanel@aon.com or bruce_pixley@aon.com with questions about this article.

More like this