Litigation Support Tip of the Night

February 9, 2019

Bit Recover has a number of different tools to assist with data recovery, and email conversion.   Be sure to check out the 39 free tools Bit Recover makes available here.  The tools allow you to review .pst archives, .ost files, .mbox email files (used by Eudora, Thunderbird, and other emails clients); convert Word documents to PDF (& vice versa); and count the number of emails in .mbox and .pst archives.   They have limited functionality unless you purchase a license, but you can use them for projects with small data sets. 

I tested two of these tools tonight. 

The MBOX wizard easily accessed an .mbox archive file with multiple emails. 

The tool also allows you to export the emails as PDFs; .msg files; a .pst archive and other common formats.  

The DOC to PDF Wizard will convert multiple Word documents to PDF format. 

February 9, 2018

Gmail makes it easy to check activity on your account.   At the bottom right of the inbox screen, you'll see a link for Details below a caption indicating when the last activity in the account occurred. 

If you click on this link, a new window will open listing the access dates and times the account was logged into, the location and IP address from where the login took place, and whether the login was from a PC, mobile device or email account. 

February 8, 2018

Under Settings in Gmail (click on the cog icon on the upper right) there's tab entitled, "Forwarding and POP/IMAP".   The first section named, 'Forwarding" allows users to add email addresses they want their gmails to be forwarded to.   If your account has been hacked, you may find an unfamiliar address listed there. 

January 8, 2018

American government agencies are currently rushing to meet the January 15, 2018 deadline for implementing the DMARC protocol.  DMARC stands for Domain Message Authentication, Reporting and Conformance.   It's a security protocol that allows for reporting between email receivers and senders in order to discourage spoofing - sending fraudulent emails which appear to come from a legitimate domain as means of facilitating spam and phishing.  

DMARC was developed in the private sphere and came into widespread use in 2012.   The authentication process allows a receiver to check if a message comports with what is knows about a sender.    The owner of a domain uses either a DomainKey Identified Mail (DKIM) or Sender Policy Framework (SPF) mechanism.   The receiver must confirm that the header of a new message aligns using DKIM or SPF with authenticated domain names.

You can confirm with if a domain is using DMARC on this site.    It will determine if the domain has a DMARC policy in place: 

. . .  and also provide an overall DMARC score.

January 4, 2018

Make note of the American Bar Association's Formal Opinion 477, published this past May.   The summary states that:

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

The opinion does not recommend specific technical cyber security measures that should be taken, but requires attorneys to take reasonable steps specific to different factual circumstances.   A lawyers should follow these guidelines:

1. Understand if a particular case presents a high threat for cyber intrusion.   "[H]ighly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft."

2. Understand how data is transferred and stored.  "Each access point, and each device, should be evaluated for security compliance."

3. Take Reasonable Security Measures.  Such as, "using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software."  An attorney is specifically charged with understanding that deleted files can be recovered.

4.  Protect Electronic Communications - "If client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments."

5. Label electronic media as confidential.

6. Lawyers and their nonlawyer assistants should receive formal cyber security training.

7. Do due diligence on vendors hired to assist with electronic communications including checking their security policies and protocols. 

December 29, 2017

If you're using Windows online email services (Hotmail or, Windows 7 may store emails used with accounts accessed on the PC in the Users folder on the C drive.     You should be able to find emails in the .eml format at this location:

C:\Users\[User Name]\AppData\Local\Microsoft\Windows Live Mail

There are separate folders for emails from in the inbox and the outbox.   Don't miss the additional email data that is saved in the 'Storage Folders' subfolder.  

November 8, 2017

Email spoofing is the practice of sending a forged email that appears to be from a legitimate email domain, but is in fact from a different sender.    Email protocols don't always verify that an address in the FROM field is one which the sending system is authorized to send from.  A different (but similar) email address may be listed in the REPLY-TO field.

DKIM - DomainKeys Identified Email - is a method of authenticating the domain of an email sender. 

Your Gmail account can run a DKIM authentication. 

Follow these steps:  

1.    In a gmail message near the reply arrow, click on the drop arrow and select 'Show original'. 

2.   The resulting message will include a DKIM field indicating whether or not the particular message has passed the DKIM authentication test. 

3.  In the email header look for the line, "dkim=pass header", as official verification that the email has DKIM authentication. 

September 9, 2017

Journaling is the process of recording all email communications, whereas archiving involves backing up this email data in another location other than an email server like MS Exchange. 

As this posting to Microsoft's TechNet's site makes clear, Office 365 allows an admin to set rules which control how emails are journaled.   Up to ten rules can be set.  It is possible to record only emails sent to outside parties, or just record emails sent internally.    The SMTP addresses or individual recipients can be targeted. 

Exchange allows for Unified Messaging which consolidates email, voicemail, and faxes.   It is possible to exclude the journaling of voicemail messages, but if these are excluded faxes will still be retained.  

Online Exchange mailboxes cannot be used to receive journaling reports.   These must be sent to an internal archiving system.   

September 7, 2017

In order to open a IBM (formerly Lotus) Notes .nsf file it may be necessary to have a   This file contains the user's password, encryption keys, and other recovery information.   In version 9 of Notes this file is located in a user's App Data folder.   You can find its location by going to File . . . Security . . . User Security:

Notes can be configured so that having a password is not enough to open an email database, additional encryption information in the file is requited as well.   Even if the is not required for an entire .nsf database it may be needed to open specific messages.   When collecting .nsf archives be sure to request the file.

May 4, 2017

I've noted how helpful Windows LIve Mail is in the past.   You can use it to create an email list.

Go to Contacts in the folder list on the left, and then click Categories on the upper toolbar.  

You be given the option to enter a category name.   In the box below you can enter multiple email addresses.

When you draft a new email message and type in the category name it will autofill:

.  . . and you can send out your email to multiple recipients. 

Please reload

Please reload

Sean O'Shea has more than 15 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.


All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.


This policy is subject to change at any time.