I recently interviewed Dr. Gavin Manes, CEO of Avansic. We covered so much with regard to eDiscovery trends that we couldn’t fit it all in a single blog post. Part One of my interview was published Monday, here is part two with Dr. Gavin Manes.
In part two with Dr. Gavin Manes, we discussed cloud-based eDiscovery solutions, forensic examination best practices, and mobile device discovery.
Doug Austin: It seems that the move to “the cloud” has accelerated since the pandemic and that includes cloud-based eDiscovery solutions. What advice do you have regarding considerations for an organization when it comes to selecting a cloud-based eDiscovery solution to support their needs?
Dr. Gavin Manes: All of us in the south, especially down on the Gulf Coast in places like New Orleans and Houston, have these things called “hurricanes” and Katrina happened several years ago. The entire legal industry down there said, “I don’t want servers in my office anymore. Let’s get these out of here.” The idea of being off premise is something that law firms were not comfortable with until a natural disaster occurred. COVID was not necessarily a natural disaster, but it’s caused us to realize we don’t need to have things on-prem – the cloud is secure.
There are private clouds and there’s private data centers. I think what we’ve seen and learned from all the legal work during the Katrina days (and even the BP oil spill days where we were having to take work and disperse it all around the globe) is the flexibility of deploying features and eDiscovery tools and being able to use them whether on-prem or in the public or private cloud. And when I’m looking at eDiscovery solutions, if I’m only in the cloud, and I have to bring it on-prem because of some protective order in some case, I’m going to have to learn a whole new tool. The tools that have the flexibility to be deployed in Azure, AWS, or wherever are going to be a lot more adaptable than the others.
I also don’t think people still fully understand how pricing in the cloud works. When we think about the old way, we use the analogy of text messages where every time you received a text message, you used to pay 10 cents. Many don’t even remember that, but it was an acceptable behavior back then. Now you have unlimited texts. With eDiscovery in the cloud, you used to pay per gigabyte per month for storage. Now we’re seeing where you buy buckets of gigabytes or even an unlimited amount. It’s important to understand exactly how storage works because it can get expensive. You upload a gig, and then you produce that gig. That original gig is going expand to a gig and a half, and then you get a production from the opposing party that may take it to two gigs. It’s never going to go down; it’s only going to keep going up.
I think the move to the cloud has accelerated because of the acceptance of working from home. We don’t need to be there with the data. But there is still regression where people want to print things. The volume of printing has shrunk, but just the other day I had a client that wanted to print 2,000 documents, which reflects being stuck in old habits. But the cloud really helps us here. We showed him an iPad where you could flip through the documents, and he said, “That’s better than printing! Great!” It’s trying new things, like I’m trying to convince my children to do more. You don’t know if you like it until you try it. I think the legal industry would benefit by spending more time trying the technology that’s out there.
Doug Austin: I couldn’t agree more. I’ve covered several cases recently that have involved forensic examinations. What advice do you have for our audience regarding when a forensic examination is appropriate and best practices for requesting them in litigation?
Dr. Gavin Manes: The best way to answer that question is to ask the question “What’s the difference between eDiscovery and forensics?” My answer is always that they’re the same in all of the process and all the purpose – the collection and the preservation because you’re gathering evidence to present in front of a court. They are the same thing. However, eDiscovery deals with what the document says. Whereas forensics deals with considerations like: How did that get there? Who touched it? When did it get there? The stuff behind the scenes.
Often, you want to understand how or why something got there. We can almost get to why, which is an intent everyone in forensics understands. What a document says is obvious. But behind the scenes, forensics can help you understand the story of that document. Our most common example is you used to work for one company, and now you work for another company. And it’s kind of obvious in that case that we need forensics because we’re trying to figure out what they stole.
Notice I didn’t say if they stole. We steal things intentionally and unintentionally. We might download our PST. We might upload it to a cloud site. There’s of lot of things that people do. I know how I could steal something from a company where it would never be traceable. And I’m not going to tell you how, except it involves a printer. There are ways to do things undetected, but most people are doing things that forensics traces. And a great thing about a computer is it does track everything you do, not because it’s big brother, but because it’s just trying to help you. You open Word and it shows you the last five documents you’re working on. You open one of those documents and it shows you where you left off. All that helps me understand what you’ve been doing out there. That “how” and that “why” is important.
Our other common case is authentication. That’s where you bleed from eDiscovery into forensics. You didn’t think you needed forensics, but now you do. You’re looking at an email and you’re going, there’s something just not right about that email. It doesn’t look real, or my client says they didn’t receive it. That’s where forensics can go under the hood and let you know that email is absolutely fake. Or that email was created by a third party. The common case there is where someone is claiming a whistleblower (or someone else) is providing the evidence, and it needs to be authenticated. I know it’s not the judges’ job to question evidence, but when people produce screenshots or PDFs, and there’s no authentication of the evidence, I try to impress upon them how easy it is to create fake text messages and fake Facebook pages. If the other party doesn’t challenge it, the evidence is going to get in and the judge could sit there and go, that looks fake. Someone testifying they took this screenshot is not as good.
That’s where forensics and eDiscovery mesh together, wrapping them back to where they are the same thing. Forensics comes down to great collection of the data, a good chain of custody that explains where the data came from, and from there, we can do everything – unlike other investigative techniques that may be destructive of the data. When we look at a computer, we can look at it over and over and over again, we can give that evidence to another expert, and they should find the exact same result as us. The data is the data, and it speaks for itself.
Doug Austin: Another recent trend in eDiscovery is the more common inclusion of mobile devices as a discoverable source of ESI. What recommendations do you have for our audience regarding how they approach mobile device discovery?
Dr. Gavin Manes: Mobile device discovery is a constant ground shifting. The tectonic plates of the mobile universe are perpetually moving, and we have earthquakes that happen on occasion. Lately, it was one of the most common tools called Cellebrite which had a problem with Apple, and it was exposed by the inventor of Signal. That was an earthquake move where we had this great technology that we could use to perform certain types of extractions from an iPhone. Then all of a sudden, it was gone because Apple “fixed” it.
Moving around in the technology of that world is very different from computers where we have the Mac, and we have Windows, and maybe a little bit of Linux (which is really just a Mac that is sort of reverted on itself). We essentially have two types of computers we examine and that’s it. Whereas, with mobile devices, an iPhone on AT&T versus Verizon can be significantly different. Still, there are only twelve or so deployments of iPhone out there, but when you enter the Android world, there’s thousands of variants of Android and what they are.
The nice thing is that, unlike a computer exam, which the volume of the data can drive how complicated the exam is, with cell phones – even though they can be very big as well – most of what’s big on a phone is the pictures and videos and not the substantive data that legal is looking for. So, typically a cell phone exam is a few hundred to a thousand dollars. It’s not super expensive. Whereas a computer exam could cost $2,000 to $5,000.
Another consideration is that when we conduct a cell phone exam with modern technology today, and then we wait a year and process it again, we might get different results because we have the benefit of the technology improving. The best example of that is the checkmate application by Cellebrite, where we couldn’t get past the encryption in the iPhone to get a better physical image of it. Only Apple knows the key to iPhone encryption. But they figured it out. You hit fancy buttons on the phone, and you might break it, but hit fancy buttons on the phone and then the phone boots up into a mode where you can suck the data off of it. We didn’t have that a year and a half ago. How much longer will we have it? We just don’t know.
But the wealth of information people think is only on a cell phone is not true. As I mentioned, images and media are often important on a cell phone. But I always ask people “What is the source of truth of the data you’re looking for?” Because it may not be solely on a cell phone. For instance, your cell phone is not the source of truth of email. Your cell phone won’t have more email on it than is on the cloud or in a mail server. It’s not the best source of truth. So, most collection tools or extraction tools don’t bother to get email. It’s a waste of time. Same with Facebook and things like that.
But for text messages, applications, or location data, it might be the best source of truth. Knowing what evidence is on the phone and what you’re going to get from it is really important. Add to that mobility usage reports and Google tracking and Apple tracking. There’s a lot of ways we can put someone not just in a geographic area, but at a specific location at an exact time. That is one of our common cases with cell phones versus just getting all the text messages off of them.
Hope you enjoyed part two with Dr. Gavin Manes! We’re not done yet! The third and final part of my interview with Dr. Gavin Manes will be published on Friday.
So, what do you think? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclosure: Avansic is an Educational Partner and sponsor of eDiscovery Today
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.