What happens to email attachment timestamps when a file is attached to an email message? As far as internal file metadata goes, nothing should change. Attaching the file does not change its contents, and internal metadata, such as the document’s author, title, creation and modification dates where applicable, should be preserved during transit.
How about file system metadata? Does plucking the file from the file system and attaching it to an email result in total loss of file system metadata? Not so, at least in an Exchange / Outlook environment. In fact, file system timestamps can survive the transit to the recipient’s mailbox, sometimes with 100-nanosecond precision!
About a decade ago, virtually all electronically stored information (ESI) productions we performed were in static format (i.e., PDF/TIFF/JPG with accompanying load files). Legal review platforms were designed to work with static productions, and law firms preferred them due to their plug-and-play nature—a proper static production can be loaded into a review platform without much effort. During the past two years, we have seen an increasing interest in productions in native file format. Considering the amount of information that can be extracted from raw data, it is not hard to understand why lawyers demand access to electronic documents in their native format.
When working on computer forensics or e-Discovery projects, especially the ones that involve electronically stored information (ESI) productions based on pick lists, we frequently encounter pick lists which consist of Bates ranges. Bates ranges may comprise document-level control numbers—as seen in native or near-native document productions, or page-level Bates numbers. We conceived Range Converter—a free Bates range to list converter—with the hope that it will make it easier for legal professionals to work with Bates ranges.
Microsoft Office documents typically contain a great amount of metadata, some of which can be instrumental in computer forensics. While e-Discovery and computer forensics software can handle extracting and displaying most of the metadata, I found that a crucial piece of information is usually not extracted: Microsoft Word last 10 authors — also known as Word save history.
Certain versions of Microsoft Word such as Word 8.0 (Word 97) through Word 10.0 (Word 2002) store the names of the last 10 people who edited the document as well as the file locations. This information is not displayed to the end user through the Microsoft Word user interface, and according to the Microsoft Support website, this is an automatic feature that cannot be disabled.
Native file productions are gaining more and more traction in e-Discovery, and rightfully so. However, what native format is, and its benefits and drawbacks are commonly misunderstood, occasionally rising to the level of e-Discovery disputes. Here are some of the misconceptions we encounter frequently about native file productions…
Facing litigation and having to produce company documents to third parties can be an unsettling experience. Some businesses react to this by attempting to do as much of the identification, preservation and collection work in-house, using either company staff or their trusted IT consultants. While this sounds like a good idea for keeping as much of the irrelevant company data from the outside and cutting costs, it often backfires when done without the required expertise and tools. Furthermore, it can derail the entire e-Discovery process since subsequent steps such as processing, review and production depend on the proper identification, preservation and collection of relevant ESI.
Legal teams often choose to prepare image productions accompanied by load files, and many of them make simple mistakes or bad choices that make it unnecessarily difficult for the recipient to utilize the produced information. While helping a firm sort out a disastrous incoming production, I was inspired to write this post with the hope that it may help someone avoid an unnecessary dispute. Assuming that the e-Discovery processing leading to the production was performed competently, here are a few quick tips for preparing a proper image production.
Many legal teams use endorsed searchable PDFs as their preferred format for producing electronic evidence. I suspect that two of the most common reasons for this may be that PDFs are a format attorneys are very familiar with, and that the productions can be prepared in-house using the tools the firm has.
I am generally not a fan of PDF productions because I think they lack both the advantages of a native production (e.g. maintaining the metadata and functionality of complex electronic files) and the advantages of a TIFF production accompanied by load files (e.g. flexibility and ease of use with legal review platforms). In fact, our experience shows that upon receiving a searchable PDF production, most law firms hire an outside company, or engage their in-house litigation support team to have the documents converted to a TIFF production with load files so that they can be loaded into a legal review platform.
E-mail messages contain numerous metadata fields that are utilized by computer forensic examiners as well as legal teams. One key MAPI property that is frequently extracted by computer forensics and e-Discovery software, but yet usually overlooked or underutilized, is PR_CONVERSATION_INDEX. This property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message.
The Shell team at Microsoft at some point decided to improve things a bit and implemented a new way of comparing Unicode strings that contain numerals. The change took effect after Windows 2000, so operating systems such as Windows Server 2003, Windows XP, Windows Vista and Windows 7 sort numerals in folder and file names according to their numeric value. While this seems logical and may be helpful to most people, we believe that it brings new issues, especially in the legal industry.