When I take on a job, my first ask is for the Request for Production (RFP) or another official, judge-approved document, clearly calling for specific data from specific devices.
In an ideal world I get an RFP with all the particulars spelled out, with each device clearly listed, with date ranges and a keyword list for search, and clear instructions on exactly how I am to obtain these devices (for example, they are already in the attorney’s possession and they will drop them off at my office).
In reality, it usually doesn’t work that way. This is not to throw shade on lawyers or judges — as a digital forensics analyst, I don’t expect that you would know as much as I do about digital devices — but it means that I often have to work with the attorneys (both sides) to nail down exactly what I am to look for and report on.
Show me the complaint
I always ask to see the complaint as an accompaniment to the RFP. This helps me determine that the RFP is on the right track to produce a full and complete report that speaks to the case.
If something doesn’t seem right with the RFP, I will speak up and discuss it with the attorney. Sometimes it’s just a point that I need clarified, and sometimes it means the RFP needs an overhaul.
Data isn’t where you think it is
In another blog post, Where to find data for your RFP, I detail the different places I might need to look to fulfill the RFP. For example, it’s a common misconception that emails are stored on one’s phone, but the best source for a complete picture of email is the email provider. The same is true for social media posts. They might seem to be “on the phone” because you can see them, but in reality, they are stored on the platform’s servers and sent to your phone when you open the app. These posts are never stored on the phone itself.
If the RFP tells me to look on the phone for something that isn’t on the phone, I’ll work with the attorney to get that point clarified in the RFP, and to set up any meetings with the client or data custodian (owner of the accounts) to obtain the additional information.
Keywords must be specified
I have received more than one RFP with vague search instructions such as, “Produce all emails pertaining to Jane Smith’s employment at XYZ company.” What does this mean, exactly? If I’m searching an archive of work emails, wouldn’t 99% of the emails be work-related, and thus “pertaining to employment”?
Ideally, I get a list of keywords to search that speak to the complaint. For example, if it’s a wrongful termination case, a good list of keywords might be:
- employment
- termination
- fired
- disciplinary action
- write-up
- personnel file
This doesn’t mean that these are the entirety of what I will search for — I often go above and beyond to see what I can find. However, if both sides can agree on this list of keywords, it gives me a baseline and a direction.
If keywords are not specified, I will often work with the attorney to come up with a proposed list.
Contacts’ information must be supplied
I have received more than one RFP that called for “all emails between Jane Smith and John Jones” with no email address specified for John Jones. Or it asks for all text messages with John Jones, and no phone number specified.
I can usually find an email address or phone number in the Contacts section, but I have no way of knowing whether there’s more than one email address or number, or whether a different phone number was being used at the time of the alleged crime (which might be several years earlier). Plus, my time spent searching for this information is billable time, which can add up quickly.
If counsel can’t or won’t provide email addresses and phone numbers, all I can do at that point is include in my report the email addresses and phone numbers I did manage to find.
In summary
The more complete and pertinent your RFP, the more I can get on with what I’ve been hired to do — search for data and write a report — rather than spending time in a back-and-forth that ultimately costs your client more money than it needs to.