Legal teams often choose to prepare image productions accompanied by load files, and many of them make simple mistakes or bad choices that make it unnecessarily difficult for the recipient to utilize the produced information. While helping a firm sort out a disastrous incoming production, I was inspired to write this post with the hope that it may help someone avoid an unnecessary dispute. Assuming that the e-Discovery processing leading to the production was performed competently, here are a few quick tips for preparing a proper image production.
E-mail messages contain numerous metadata fields that are utilized by computer forensic examiners as well as legal teams. One key MAPI property that is frequently extracted by computer forensics and e-Discovery software, but yet usually overlooked or underutilized, is PR_CONVERSATION_INDEX. This property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message.
The Shell team at Microsoft at some point decided to improve things a bit and implemented a new way of comparing Unicode strings that contain numerals. The change took effect after Windows 2000, so operating systems such as Windows Server 2003, Windows XP, Windows Vista and Windows 7 sort numerals in folder and file names according to their numeric value. While this seems logical and may be helpful to most people, we believe that it brings new issues, especially in the legal industry.
A vast amount of electronic evidence is being transmitted everyday via electronic file transfers among corporations, law firms and e-Discovery service providers. Most of these transfers involve compressing the evidence into a file archive (ZIP, RAR, 7z etc.) and transferring the resultant archive(s) over the internet. While this is usually a straightforward process, it is critical to make the right decisions and use the right tools to avoid trouble down the road.
Robocopy is a great tool for copying files, but it does not offer an option to hash the source and destination files. While this may not be necessary for casual personal use, being able to confirm that the output files are identical to the source files using cryptographic hashes is crucial when working with electronic evidence.
There are commercial off-the-shelf file copy tools which have this functionality built-in, but they usually lack the flexibility that Robocopy offers. If you are a Robocopy fan, and do not mind a little bit of command line work, follow along and we will show you how to validate Robocopy results using the freely available software package md5deep.