A Lot of Room in Its View
Microsoft’s Vista stores much more data—and may affect the discovery process
Posted Jul 1, 2007 6:56 PM CST
By Jason Krause
Vista—Microsoft’s latest operating system—may prove to be most appropriately named, especially for those seeking evidence of how a computer was used.
Available since late January, Vista offers a host of new security and built-in backup features. But from a litigator’s perspective, the interesting point is that it keeps a lot more information—and more detailed information—about what a person does with a PC. This means lawyers can potentially discover more forensic evidence about what is on a computer and construct more detailed time lines about what was done with that information.
R. Lee Barrett, an associate attorney with Forshey & Prostok in Fort Worth, Texas, has worked bankruptcy cases for both banks and debtors. He believes Vista will be a useful tool for attorneys, but will also pose new challenges in litigation.
“From a defense perspective, it scares me to death,” says Barrett. “One of the things I have a hard time educating my clients on is the volume of data that’s now discoverable.”
For example, a new feature called Transactional NTFS, or TxF in Windows-speak, keeps much more detailed user records. These records allow attorneys to construct a more accurate time line of events.
“Right now you can ... say information was accessed on a certain day, but that might not prove anything,” says John Simek, co-founder of Sensei Enterprises, a legal technology and computer forensics firm in Fairfax, Va.
But with Vista “you can look in there and see something was accessed on Monday, Tuesday and Saturday at such-and-such a time going back months.”
Vista keeps something called a shadow copy that backs up your work in the unused space on the hard drive. It’s designed to prevent data loss; but with it that data will stay on the computer—perhaps forever. Windows systems have been replicating data similarly in recent releases, but Vista makes it easier for forensic examiners to find deleted data.
In addition, the new Instant Search technology allows users to find documents faster by keeping an index of things they have worked on.
However, the index becomes a new source of discoverable information that details almost everything one uses a computer for. “It’s Google Desktop on steroids,” says Simek. “It’s an indexed database of more evidence stored right there on a computer.”
Simek had a test computer set up to better understand how Vista will affect his forensics work. He says the most interesting new feature might be the bitlocker encryption, though it is currently available only for very high-end versions of Vista.
Bitlocker encryption lets users lock up data so that only people with a decryption key can access it. “From a forensics perspective, it probably won’t be a major problem because a court would order a party to decrypt the computer,” Simek says. “It could be a rare problem in civil litigation, like a divorce suit, if one side happens to have a high-end version of Vista and doesn’t want the other party to see the computer.”
Barrett says the new features may make life easier for small law firms and solo attorneys. Assuming they can look at a computer’s data without corrupting or altering it, lawyers doing a quick scan can determine whether relevant information might be stored on a PC.
“If you can’t afford a forensics expert for every case, at least you can take a look to see if ... some potentially discoverable documents have been on a computer,” he says. “Once you determine [that], ... then you can talk about hiring experts.”
But whether it helps or hurts them, users will likely have to deal with the vagaries of Vista someday. Microsoft’s hold on the market for business PCs is so complete, almost everyone will migrate to it eventually. Better that lawyers discover now how Vista will affect the discovery process.