When is Plaintiff Computer Forensic Imaging Warranted?

30 May 2014

Federal Courts Require More than Mere Possibility of Misconduct

In a recent order from an Ohio state case Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App. Ohio April 24, 2014), the court reviewed federal case law as guidance to determine when a plaintiff computer forensic imaging order was warranted. Does it require the mere possibility of defendant misconduct, or something more?

When Can a Plaintiff Receive a Defendant Forensic Image of a Hard Drive?

The following federal cases were cited in Fasteners to outline certain principles when forensic imaging has been an issue of contention:

Bethea v. Comcast[1] (Moving party must show data exists and is being unlawfully withheld before ordering inspection or seizure of computer systems.)

Playboy Enters. V. Welles[2] (Forensic imaging warranted after party engaged in systematic deletion of relevant emails after case began.)

Williams v. Mass. Mut. Life Ins. Co.[3] (Motion for forensic imaging denied as the party did not establish the defendant was unwilling to produce the data.)

The following are 2014 federal court decisions regarding forensic imaging:

Battelle Energy Alliance, LLC v. Southfork Security, Inc.[4] (Plaintiff granted forensic imaging of hard drives on an ex parte basis for a TRO, and the image was to be provided to the court for an in camera review.)

Network Cargo Systems, U.S.A. v. Pappas[5] (Defendant flash drives ordered produced for forensic imaging after initial forensic examination uncovered flash drives used on personal computer devices.)

Cornelius v. Bae Systems Information Solutions, Inc.[6] (Computer forensic imaging uncovered wiping software was used to destroy all electronic data on mobile devices.)

What is the Value of a Computer Forensic Image?

A computer forensic image is an exact replica of a computer or mobile device hard drive. Once copied, the image can be fully searched and analyzed on a control computer. Not only will all files be copied, but everything will contain original metadata. Unlike a regular “file copy,” where the metadata will reflect the new user and new date of the copy, critically forensic imaging preserves the original metadata.

In addition to original metadata, forensic imaging makes a copy of unallocated space on a hard drive. This is important, as that is where deleted files or fragments of erased data often remain after a user attempts deletion. Even if a defendant goes the extra step to use wiping software in attempt to fully erase files, evidence of this software will often remain on the computer. This evidence of wiping software can be used in litigation to prove a defendant engaged in spoliation, even if the files themselves were irrevocably destroyed.

Expert Computer Forensics for the Plaintiffs’ Bar

Our computer forensics experts and eDiscovery team work exclusively for the plaintiffs’ bar in class action lawsuits and multidistrict litigation. Call ILS for more information, and be sure to bookmark our legal blog for the latest eDiscovery case law updates.

[1] 218 F.R.D. 328, 329-30(D.D.C.2003)

[2] 60 F. Supp.2d 1050, 1054(S.D.Cal 1999)

[3] 226 F.R.D. 144, 146 (D.Mass. 2005)

[4] 2013 WL 5637747 (D.Idaho 2014)

[5] No. 13 C 9171 (N.D.Ill. May 7, 2014)

[6] Case No. 1:13-cv-00825 AJT/TCB (E.D.Virginia April 24, 2014)