“Do you want me to scramble this one like the others?”
That’s a line from a deleted email I read while conducting a forensic examination a number of years ago. The email was addressed to a manager and sent by one of the engineers of a company accused of falsifying test data.
The manager responded affirmatively, but also added the following: “Don’t use the word scramble or anything else negative in email. Let’s call it, SOP, or standard operating procedure.”
I proceeded to run searches for SOP and Standard Operating Procedure and found dozens of emails containing incriminating conversations.
How did I find this juicy email? It certainly wasn’t the keywords provided by the case team. Sure, they had dozens of keywords from “alter” to “zap”, but not “scramble” or “SOP”.
I stumbled across this original email only because I was frustrated with the lack of results from the key terms that were suggested. So, I reverted to my comfort zone of randomly selecting and reading emails. This strategy had always proved fruitful in the past, and it always gave me insight into how people in the organization were communicating. How were they using email? Were they using code words? Were they engaging in small talk or were their communications strictly business?
The thought of this past investigation didn’t come to me randomly. It came to mind after I read a recent blog by Jon Fingas regarding the Volkswagen emissions scandal. In the article published by Engadget, it stated: “Tipsters claimed that VW staff used dozens of code words to hide emissions cheating activities, making it difficult for internal investigators to find evidence.” They’d refer to the technology as “acoustic software,” for example.
I have no personal knowledge of the methods or techniques being used by investigators in the VW case. Maybe they devised keywords to investigate, or perhaps they used some new-fangled analytical software that clustered emails based on some algorithm. But maybe, just maybe, they found the documents with the code words using one of my two favorite methods of searching for relevant ESI, both of which are “low tech”.
I’ve already mentioned the first technique: to select emails randomly and to start reading. I have used this method on nearly every investigation where I have been asked to find potentially relevant evidence. And nine times out of ten I have found communications that would have not been caught in the keyword net. This kind of random selection and reading can be tedious, but one can learn a lot about an organization and its people by this method of scouring business and not-so-business emails. Years ago I heard the New York Attorney General, Eric Schneiderman, speak when he was still a practicing litigator and he was investigating broker-dealer stock churning.
If I recall correctly, he stated that his team reviewed most, if not all, email communications which led them to uncovering communications talking about POS trades. Later they discovered that the brokers were referring to questionable investments they were putting their clients into and” POS” stood for “piece of s#!t”.
I am sure they had to read through a lot of email to find those nuggets and I am not suggesting or advocating that we replace using keywords and data analytics with looking at every document. It is just not practical or feasible to read everything butwhat I do advocate is that attorneys take time to look at emails that didn’t caught in the net of key terms or analytics.
This method will help you find new keywords, relevant documents, or the smoking gun. At the very least, you are going to learn a lot about the organization, how it speaks, and how it operates.
The second method is one that I highly recommend and fully support in most, if not all matters, regardless of size or value. That method is the custodian interview. If an organization is subjected to discovery for litigation or other purposes, it is critical to interview the employees who created and controlled the ESI. I could be wrong, but I sometimes get the feeling that case teams are moving away from the interview process.
They think that the technology can be used to “boil the ocean” and just leave behind the relevant ESI. eDiscovery vendors often receive entire hard drives or network shares that contain thousands or even millions of irrelevant files or junk. Maybe the thousands could be reduced to hundreds if a proper custodian interview had been conducted. It certainly takes more time and effort to do the interview, but the payoff can be great.
Custodian interviews can help the lawyer learn about the case from the point of view of the potential witness. It can also help to identify or eliminate key terms, give insight into the internal business lexicon, identify new custodians or eliminate the need to include others that have been slated for preservation and collection.
Interviews serve another purpose if the ESI collection occurs at the same time as the interview. The interviewer and technology team can do a targeted collection to reduce the volume of nonresponsive ESI collected, thereby reducing costs.
Again, I am not advocating the abandonment of key terms, predictive coding, TAR or any other approach or name one wants to attach to data analytics (actually, I think we need to use it more!). What I am proposing is that case teams also take a low-tech approach and conduct custodian interviews and review random samples of documents. Yes, it may take time and effort, but trust me the payoff is worth the investment.
Peter Coons is a senior vice president at D4, providing eDiscovery and digital forensics consulting services to clients. He is a Certified Information Systems Security Professional, an EnCase Certified Examiner, an Access Data Certified Examiner, and a Certified Computer Examiner. He belongs to various digital investigation and information security based organizations.