December 1, 2025 • 63 mins
We unpack how hyperlinked files and “modern attachments” change discovery, from Google Vault’s updates to Microsoft’s gaps, and how to defensibly restore parent–child context without breaking authenticity. Arman Gungor shares practical workflows for version selection, preservation, and rapid email fraud detection.
• Why links function as attachments in context
• Current limits of Google Vault and Microsoft Purview
• Restoring families without altering source emails
• Choosing current vs contemporaneous versions
• Handling folder links and recursion at scale
• Preservation gaps across email and cloud storage
• Access, “shared with me,” and control issues
• Sampling approaches to manage burden
• MIME vs PST, signatures, and authenticity checks
• Using FEI to score and triage suspect emails
• Early planning for legal holds and server metadata
• Concrete questions to ask at meet and confer
To see how Minerva26 can become the strategy hub for your discovery decisions, head to Minerva26.com and schedule a strategy session or request a demo.
Thank you for tuning in to Meet and Confer with Kelly Twigger. If you found today’s discussion helpful, don’t forget to subscribe, rate, and leave a review wherever you get your podcasts. For more insights and resources on creating cost-effective discovery strategies leveraging ESI, visit Minerva26 and explore our practical tools, case law library, and on-demand education from the Academy.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Kelly Twigger (00:11):
Welcome to the Meet and Confer Podcast.
I'm your host, Kelly Twigger.
I'm a practicing attorney andthe CEO and founder of Minerva
26, a discovery strategyplatform that helps litigators
create and validate discoverystrategy by connecting rulings,
rules, and workflows so they canmake faster, defensible
decisions that protectcredibility and control costs.
(00:33):
If you're afraid of what to dowith ESI, we're here to help.
Today I'm joined by ArmanGungor, who also has two roles
in the e-discovery space.
Armand serves as the vicepresident of forensics at
Meridian Discovery and is alsothe founder of Metaspike and the
creator of Forensic EmailCollector and Forensic Email
(00:56):
Intelligence.
Arman has been right in themiddle of the hyperlinked files
and modern attachments battlessince 2021 when Judge Parker's
decision in Nichols v.
Noom first pushed his work withForensic Email Collector into
the spotlight.
We're going to unpack whathyperlink files really are, what
Google and Microsoft actuallygive you today, how tools like
(01:19):
MetaSpike's change what'sreasonable in discovery and what
all of this means for yourobligations and your strategy.
If you've ever looked at anemail with a link instead of a
PDF and thought, what exactly amI supposed to do with this?
This episode is for you.
Let's dive in.
Arman, thanks so much forjoining me today.
(01:40):
I really appreciate you beinghere.
Thank you.
Arman Gungor (01:42):
Likewise.
Thanks for inviting me.
Kelly Twigger (01:44):
We have a an important topic to talk about
today that I know is somethingyou became quite famous for in
2021 when Judge Parker wrote theNichols v.
Noom decision, and theplaintiffs argued that Noom
should use your forensic emailcollector tool to collect
hyperlinked files in thatparticular case.
(02:08):
And the court actually declinedto order them to do so because
they'd already done aproduction.
But I think it was the firsttime for me that your tool and
you became in the spotlight ofthis hyperlinked files issue.
So I really appreciate youbeing here today.
And I wanted to talk to youabout this because I think one
(02:29):
of the challenges that we havein Discovery now, because it's
mostly all ESI, is this notionthat technology keeps moving
forward.
And we as lawyers, ourobligations keep changing.
We keep needing to understandmore about the technology and
(02:50):
the technical aspects in orderto make uh crucial strategic
decisions for our clients interms of discovery.
And hyperlinked files is one ofthem.
So I will I'm gonna turn itover to you to let you describe
the problem and I'll jump in.
Arman Gungor (03:09):
Yeah, thank you.
Sure.
So what we mean by hyperlinkedfiles is when there's an email,
we are used to having theconventional attachments of
emails, which will be actualfiles.
But what happens when somebodyinstead of sharing an actual
attachment, they share ahyperlinked file in the body of
an email.
And that could be a deliberatechoice, as in you know, somebody
just clicks the share buttonand they share a file with
(03:31):
someone, or it could besomething that's enforced by the
provider.
For example, Google does thisfor, I believe, attachments over
25 megabytes.
And if you try to attachsomething large, it'll become a
Google Drive file, and then ahyperlink will be embedded in
the email.
So what happens if somebodyshares a file?
And it doesn't have to be afile, it will also be a folder.
(03:51):
So if somebody shares a file ora folder, what do you do then?
Does it become part of theemail?
Is it within the scope ofdiscovery?
What happens if you don'tinclude that at the at the time
that you perform the forensicpreservation?
So that's the challenge.
I think the first part of thequestion, as in, you know, is it
part of the email's context, ispretty straightforward.
(04:12):
I think it is definitely partof the email's context.
And if you look at those emailsand somebody's talking about
the attachment, and if it's notthere, then that's that's
trouble.
Kelly Twigger (04:20):
So that part is You know, that interesting point
that you raise because JudgeParker, in that one decision I
mentioned to you, said that itwas not an attachment, but the
courts since then have prettymuch conceded that hyperlinked
files that are referenced in acommunication are attachments.
Can I just clarify two pointsfor you?
One is we can have hyperlinkedfiles anywhere, right?
(04:42):
It's not just limited to email.
They can be in text messages,they can be in WhatsApp
messages, any kind ofcommunication where you're
sending text and you can includea link.
A hyperlink file can be in anyof those.
Okay.
All right.
And I had a second point whichI've completely forgotten, so
I'll come back.
Arman Gungor (04:59):
Well, that's that's all right.
But you know, when I wastalking about that, I kind of
danced around that attachmentphrase because yeah, maybe
technically they may not becalled attachments, but what I
said is are they in the contextof the email?
And I think, you know, thereasoning for how the production
is defined and how we alwaystalk about families and
(05:20):
parent-child relationships, thefact that if it's an attachment
or something else is not reallythat relevant.
I think what's important is isit in the context of the email?
As in when you review theemail, do you really need to
refer to that file to get thefull context of what's going on
there?
And I think the answer to thatis yes, you have to have that
context to decide what'shappening.
(05:41):
And I've experienced thismyself personally.
I've had some cases like thatwhere even not in a corporate
scenario, individuals usingregular free Gmail they would
exchange some files as GoogleDrive hyperlinks, and when you
come to examine those emails, oreven in the discovery context,
when you need to review them andmake decisions, if those files
are not there, you just let lostthe whole context, as if
(06:03):
somebody just dropped theconventional attachments of an
email.
So contextually, I think it'sfairly straightforward.
But as far as the productiongoes, should it be your standard
operating procedure?
I think that very much dependson scope and again context and
proportionality.
Because in a case where thereare a few mailboxes and it's not
(06:26):
overly burdensome, I think it'san easy decision.
When it scales up, there aredefinitely some challenges, and
they depend on the provider aswell.
Providers have different takeson this, they have different
APIs and they have differentcapabilities, and there are
varying levels of difficulty ingetting those Google Drive or
Microsoft OneDrive or SharePointfiles out of the provider and
(06:49):
linking them with the emails.
So that part is a little bitopen to discussion, and maybe
it's like on a case-by-casebasis.
Parties need to figure out ifit should be considered in
context and part of theproduction.
But that is really thechallenge that we're trying to
solve.
And yeah, you mentioned that2021 case and the landscape has
changed a little bit since then.
And I'm happy to see that theproviders have kind of tried to
(07:11):
adapt.
And I saw that Google actuallyupdated Walt to include that
hyperlinked attachment supportlast year.
So now, even if you don't use aspecialized software, but if
you're doing a regular GoogleWalt export, you could get
hyperlink Google Driveattachments out of Walt.
Kelly Twigger (07:29):
So I'm going to stop you just to make sure
everybody's on the same pagebecause a lot of folks use
Microsoft, right?
So you either use Microsoft oruse Google.
Some people will use Google fortheir free email, so they might
use it for their personal mail,but exporting it for purposes
of discovery never kind of comesinto play.
So for folks who use GoogleApps, of which Google Mail is
(07:50):
one, there's an archive solutionthat can be turned on with
Google Mail called Google Vault.
And what you're saying is thatlast year, so in 2024, Google
Vault added functionality to itthat allows you to collect
hyperlinked files directly fromGoogle Vault.
Is that right?
Arman Gungor (08:10):
That's right.
There is definitely somenuances there.
It doesn't get you 100% of theway there because of, I would
say, two main things.
One of them is the way GoogleVault is doing it now is a very
efficient way, and you canexport a number of custodians
all in one go, kind of similarto what you do with Purview.
And whatever Google Drive filesare associated with those
(08:32):
mailboxes, the related GoogleDrive files will be exported all
together as a single instance.
So if that Google Drive filehas been referenced 75 times
here and there, you're gonna getone instance of that.
And there's a reference filethat allows you to kind of match
it up with where it should go.
Kelly Twigger (08:50):
Now this so the reference file allows you to
match up the communication.
So let's say in this case, thecommunication is an email to the
actual file.
And if the file, if that ifthere are 75 times in the
collection, there are 75different emails in which that
file is referenced, it will onlybe collected one time, but
(09:14):
there is a ref, what did youcall it, a reference ID that you
can match with thecommunications to the file so
that all 75 communications wouldhave that reference ID to that
one file.
Arman Gungor (09:26):
That's right.
So which makes sense from anefficiency standpoint.
There is no point inrecollecting the same Google
Drive file 75s, which we didwith attachments over and over
and over again.
Kelly Twigger (09:37):
So this is actually more efficient.
Arman Gungor (09:39):
Yes, efficiency-wise, that's perfect.
One part they're missing isthat they don't offer a way to
reconnect those things for you.
So that's left to the user, andnot every user is able to do
that.
So when you want it to be readyfor e-discovery ingestion, you
have this set of emails and youhave this set of unique
instances of Google Drive files,but they're not really in any
(10:00):
way connected directly.
So you have a couple ofoptions.
One of the options is you wouldhave to write your own process
or scripts or whatever andreorganize them in a way that
has some type of connection thatis compatible with your
e-discovery solution.
When we saw this, we jumped onit as well and we built that
into forensic email collector.
So we wanted to take that as astarting point, as if you're
(10:22):
collecting from Google's APIsdirectly, but start with a
Google Vault export andreorganize it in a way that kind
of mimics a forensic emailcollection.
So everything is packaged.
There are Google Driveattachment packages where
there's the parent email and theconventional attachments and
the Google Drive attachments inone place for that parent-child
(10:43):
context.
But that was one of the thingsthat they're missing.
So that support is there.
It's not a hundred, it doesn'tget you 100% there if you don't
have the practices and whatyou've got to have, you can't do
it yourself, right?
Kelly Twigger (10:55):
I can't export from Vault.
And I'm fairly savvy when itcomes to those things, more so
than most litigators.
But you can't I can't do itmyself unless I've written some
sort of script that allows me totake that ID and link it back
to the email communications.
Yeah, and that's one of thethings that forensic email
collector, your tool, does.
Arman Gungor (11:13):
Yes, if you have if you had just two, three
emails, then you could probablylink it yourself manually.
But if you have millions ofemails, then you definitely have
some type of automated processto do it.
And it's not an insurmountableproblem, really.
It's solvable, but it does havesome challenges because part of
the problem also is that notproblem, but part of the
challenge is that the emailscome in containers, so you don't
(11:35):
get individual emails, but youget either PST files or inbox
files, which are essentially abunch of text-based emails
combined together, likeconcatenated.
You have a question there.
Kelly Twigger (11:47):
Yeah, I do because I want to make sure.
So inbox, the inbox containeris what comes from Google, just
so listeners understand thedifference.
So the inbox container is whatcomes from Google, and the PST
is a Microsoft containercreation, right?
Arman Gungor (12:01):
Yes, but Google also exports in PST format to to
accommodate users who wantthat, I think.
So you have both options whenyou do, right?
Kelly Twigger (12:09):
It had always been inbox, was Google's
standard functionality, butthey've since added PSTs because
Microsoft users wanted it.
Arman Gungor (12:16):
I think it's been a few years that they've had
that functionality, but yeah,initially it was Mbox only.
And the reason for that isclear on Google's back end,
these emails are MIME emails, sothey're text-based emails.
So in when you stay in thatrealm, then the container format
for that is Mbox, which isessentially a bunch of MIME
emails just concatenatedtogether with a little bit of
(12:36):
formatting sprinkled in there.
So for Google to go from thatto PST is kind of artificial in
a way, because there is noreason for Google to have PST
output.
Kelly Twigger (12:46):
What's the difference between an Mbox and a
PST?
Arman Gungor (12:48):
PSD is Microsoft's format, and they have a whole
different take on this.
They have essentiallyindividual mappy properties, is
what they call them.
So it's like a containerindividual what properties?
Mapy.
So Microsoft's specificationand architecture for email,
essentially.
And in a MAPI container, wehave a bunch of different
(13:09):
properties, and they are storedin some type of fashion that's
not really defined in thespecification.
So you could have it beanything you want, but
Microsoft's take on is is to usethe compound file binary
format, which is essentiallywhat used to be the Microsoft
Word files and stuff like thatback in the day.
So that there's essential thatcontainer, and inside that
(13:30):
there's a bunch of streams, andeach stream contains a mapping
property.
But the gist of it is thatthere's a bunch of different
compartments in an email, andeach compartment, each property
stores a different aspect of theemail.
So one of those propertiescould be, for example, the
headers of the email, one ofthose properties could be the
text-based body of the email,one of them could be the
(13:51):
HTML-based body of the email,and a ton of others.
And presumably the reason forthis is that Microsoft's
architecture is a lot morecomplex than just email, right?
So you have Outlook.
In Outlook, you have emails,you have calendar items, you
have contacts, you have thepossibility to add warning
buttons into email.
So there's a lot of rich stuffthere that doesn't really fit
(14:11):
with the traditional MIMEstandard.
So you can't take all that richfunctionality and turn it into
a MIME email without any extrabells and whistles.
So to be able to store andhouse all this, they have to
have a database type system, andthat is essential their map
containers.
And when they export, they wantto preserve all that stuff that
they have on the server.
So they put it into a uh PSTmapping container that houses a
(14:35):
bunch of mapping properties andindividual messages in that in
essence.
So for Microsoft, this makessense because they have that
kind of architecture on the backend and they kind of reflect
that when they export it out.
For Google, when you exportindividual email, you see that
they have them as individualMIME messages.
So for them, it makes sense toexport Mbox files because
(14:56):
they're just concatenating abunch of them and getting them
out to you.
Kelly Twigger (15:01):
Make it really, I'm gonna break it down.
Google, simple.
Microsoft, complicated.
Arman Gungor (15:06):
Well, you could maybe you could boil it down to
that.
I mean, Google has a lot ofcomplexity too, but in different
ways.
But from a compliancestandpoint, I think that that's
a fair assessment.
Google Vault and Google's takeon email seems to be a little
bit simpler and easier to graspthan Microsoft because of all
the stuff that they'veinterconnected.
There's exchange, there'steams, there's there's a lot of
(15:27):
stuff going on there.
Kelly Twigger (15:28):
Yeah, just listening to that last two
minutes that you gave me, whichfor me being highly technical is
interesting to me.
I'm guessing everyone else isjust a lump over their heads.
Because it just that's whatmakes this, that's what makes
eDiscovery so hard for lawyers,is there are so many
responsibilities that litigatorsalready have, and being able to
understand this technicalinformation is difficult.
(15:51):
And it's just another job.
And so folks like you whoprovide forensic services in
litigation support who aresolving these problems are so
critical.
But I think just to take itback for a minute to the high
level for the lawyers, becausewhen we used to collect email
with physical attachments, whichvery rarely exist now, we had
(16:17):
an email, then we had the actualattachment.
And when they showed up in ourreview platform, we would have
the email actually there, andthen the very next document
would be the attachment, andwe'd have metadata that showed
the parent-child relationship,and we'd have all the metadata
for the attachment as well.
Now that we're collectingdocuments at hyperlink files,
(16:38):
how are we able to deal with theparent-child relationship?
You talked a little bit aboutthat ID structure from Google,
and I want to talk about it fromMicrosoft, but the version is
another issue that we come intowith that relationship.
And that is if I sent an emailto you today and I send a link,
(17:03):
let's say I send a link to thenotes for us to prepare for this
podcast, and you go into thosenotes and you make a change to
that, um, to those notes, and sothere are additional edits, and
you send me an email back andsay, Yeah, I've done some
updates.
Let me know what you think.
If we go and collect thoseemails, when we collect both of
(17:23):
them, let's say they're a Googlewill give us an ID that will
allow us to connect that samedocument to both emails, but
won't the version be the versionthat exists at the time of the
collection?
It's not gonna allow me tocollect the version that existed
when I sent it to you and thenthe version that existed when
(17:44):
you sent it to me.
It's only gonna collect themost recent or what we call the
contemporaneous version.
Arman Gungor (17:51):
So before we get into that, let me backtrack and
finish that last thought we hadbecause the reason we got into
Mbox versus PSD was one of thechallenges in the Vault export,
which I was saying that theycome in a container.
So the challenge that'sassociated with that container
is that you don't haveindividual messages to go and
tie to the individual items inthat reference file.
You have a container full ofemails, so you have to also
(18:13):
figure out how within thatcontainer the individual
messages tie with thosemessages.
Kelly Twigger (18:18):
So it's another level of complication with the
PS.
Arman Gungor (18:21):
There are some breadcrumbs there that we use,
and there's a good 100% accurateway to match them up, but
again, another challenge tosolve basically.
The second challenge was whatyou're just getting into now,
which is the versions problem.
And Google Vault currently doesnot do this.
So if you get the hyperlinkfiles from a Google Vault
export, it only gives you whatwe call Google Drive
(18:42):
attachments, and which would bethe current version of those
Google Drive files.
But it doesn't give you anyolder versions that fit the
email.
But what you mentioned is true.
So if you have a situationwhere there's an email and
there's a hyperlink file, andthe email is let's say sent a
few years ago, and the legalteam is interested in seeing
what that file looked like backat that time as the email was
(19:05):
being sent, then you get intorevisions in the Google world
and versions in the Microsoftworld, similar concepts.
So the good news is theproviders track those versions
of the emails.
So when you talk to, let's say,Google Drive API, you're able
to say, here's my file ID, and Iwant to see what revisions of
this file you have, and then youget a list back, and then you
(19:28):
can see what the dates of thoserevisions are, and you can
figure out okay, this revisionprobably goes with this email
based on the timing.
So you can pick the appropriaterevision, or you can get all of
them if you feel like seeingexactly how that file changed.
Kelly Twigger (19:40):
So if I'm a if I'm a receiving party, I've
received a production from you,and in that production, and I'm
gonna assume for purposes ofthis that you and I have agreed
as counsel that you'll providecontent to me, you'll you'll
provide metadata that tells meif there's a hyperlink in a
(20:01):
message, in a communication.
I can then filter in my reviewplatform once I've loaded your
production by the documents thathave hyperlinks in them.
I can then decide, reviewingthose documents, which hyperlink
documents I want.
And in addition to telling youwhich hyperlink documents I
(20:23):
want, I should tell you that Iwant which version I want.
Arman Gungor (20:29):
That's true.
Usually, in my experience, thismostly happens at the time of
collection.
So as opposed to a two-stepprocess, the parties decide,
okay, we want the Google Driveattachments to be in scope.
And then when collecting them,we want to either collect the
current version for all of them,or we want to choose the
specific version that goes witheach email, which we call the
(20:52):
last revision before the sentdate of the parent email, and
you automatically get thatversion and you have that in
your database.
But in some cases, internally,it might make sense before
production to do like atwo-phase process where you
don't actually get into allrevisions and all Google Drive
files and perhaps make aninitial collection and turn it
(21:12):
over to your internal legal teamfor preliminary review, and
then they identify hey, okay,these are the emails where we
are interested in the modernattachments, and we want to see
this revision based on date, forexample.
Then they can get back to theto their technical team with a
list like that and say, hey, wewant you to go back now and pull
these specific revisions for usfor these emails, and then you
(21:33):
can load that up.
Kelly Twigger (21:35):
Okay, so two options then.
One the parties agree at theoutset either to receive
contemporaneous versions or theversion that existed at the time
the email was sent.
If that's the option theparties take, is there a manual
process?
And I'm thinking aboutproportionality considerations.
(21:56):
Is there a manual process foryou as the provider to provide
though to give me the versionsthat were created at the time
the email was sent?
Arman Gungor (22:09):
It's automatic.
So forensic email collectordoes that assessment for you.
It'll take a look at the dateof the email, it'll get a list
of old revisions, evaluate theirdates, and pick the right
revision based on the timingcorrelation there.
If you wanted to do itmanually, then yeah, there would
have to be some type of processaround it to kind of automate
that.
Kelly Twigger (22:30):
So forensic email collector will do that for you.
It will give you the versionthat was sent at the time the
email was sent.
But is there built-incapability within Google or
Microsoft to do that currently?
Or do you have to have anoutside tool, like for instance?
Arman Gungor (22:44):
Yeah, I don't think they do that.
Google Vault just exportstoday's copy of the to the
modern attachments, and Ibelieve the same for Microsoft
right now.
So there is no you know,specific revision for an email
at the moment.
Kelly Twigger (22:57):
Okay.
Just I'm just gonna clarify onemore time, just because I know
everyone listening, this isgonna be an important point for
them.
And that is that if you want tobe able to collect the version
that existed at the time acommunication was sent, you're
likely going to need to use athird-party tool like a forensic
email collector to be able todo that, because that
(23:20):
functionality is not native toMicrosoft, whether that's
purview or to Google.
Arman Gungor (23:26):
It's not built into their ready-made discovery
tools.
It is native to them in thesense that it's part of their
API.
So if you know how to talkprogrammatically to their
systems, you could do ityourself too.
But it it requires you todevelop some software basically.
So if you're looking atoff-the-shelf products, then
you're right.
They're built-in e discoverytools, don't do that currently.
Kelly Twigger (23:45):
Okay, great.
Thank you for thatclarification.
I'm gonna ask you one morething, and that is because a big
part of this podcast is tryingto help lawyers learn the
technology and the terminologyso they can speak it and feel
more comfortable with it.
And we've used the term API acouple of times.
Can you explain what an API is?
Arman Gungor (24:03):
Yes, it stands for application programming
interface.
So it's a special interfacethat a provider offers for usual
software developers to be ableto talk to their systems in an
automated way and to do thingsthere.
That's what we use.
For example, when we talk toGoogle, we use the API to make
specific requests, such as, hey,give me this file or give me
this email.
What's the data on this email?
(24:24):
Kind of automatedcommunications with that
service.
Kelly Twigger (24:29):
Great.
Thank you very much for that.
I'm gonna switch a little bitbecause part of what prompted
our discussion was thediscussion that you had with
Rocky Messing and Tom O'Connor,I think it was almost a year ago
now, about this very topic andabout some of the capabilities.
And when you and I weretalking, prepping for today's
(24:50):
discussion, you said there'sbeen a lot of changes since that
call that we need to talk aboutin terms of the capabilities of
the tools.
What are those updates in termsof what's changed in the last
year?
And what do those continuingchanges mean for us as
litigators and what we need tobe thinking about in the
(25:12):
hyperlink files area?
Arman Gungor (25:13):
It is constantly changing, it's an evolving area,
as you might expect.
So on the Google side, like wementioned, there's support now
natively from Google Vault toexport hyperlink files.
So that was kind of a bigchange, and we kind of matched
their speed there and we builtFEC around it to support the
same thing.
On our side, there have beensome additions in the model
(25:34):
attachment area in terms ofMicrosoft.
We added first support foracquiring OneDrive files and
SharePoint sites entirelywithout related to emails, so
essentially just collectingOneDrive as a whole or
SharePoint as a whole.
And very recently, we alsoadded support for OneDrive
attachments of emails orSharePoint attachments of
emails.
(25:54):
So kind of the same path thatwe took with Google, replaying
that same playbook on theMicrosoft side and starting with
the OneDrive attachments, andthen we will continue to add the
advanced features to bring iton par with what we do for
Google.
And a couple of things we didrecently is also around that a
(26:15):
mirroring of cloud attachmentswith their emails.
What we initially did was whatwe call drive attachment
packages, which was essentiallya bundle of parent email
conventional attachments anddrive attachments and revisions
all in one package.
And now we took that a stepfurther recently, and we do
something called staging now,which is essentially an extra
(26:37):
preparation step that takes kindof cherry picks either the
original email or the modernattachment bundle, depending on
whether or not that email hadmodern attachments.
So let's say that you have fiveemails, only one of them had a
modern attachment, and the otherones did not.
So in the output, you wouldhave four emails as just emails,
and then one of them would comewith the modern attachments,
(27:01):
essentially making it ready toingest right away.
Before they were in twoseparate places, and it took a
little bit extra preparationstep for people to reorganize
them and get them ready to throwinto some review or rediscovery
tool.
So we made that a little biteasier, mostly for small to
medium-sized firms.
I would say our large serviceproviders have internal
processes that already do thisautomatically, so I don't think
(27:24):
they needed that.
But smaller service providersor law firms or small companies
that do this kind of stuffinternally, they don't have the
resources to build a processaround it, usual.
So we're trying to help themget there pretty much in a
plug-and-play fashion.
So those are the maindifferences.
I would say the most remarkablething is probably the OneDrive
(27:44):
attachments, which is somethingthat a lot of people have been
creating for.
So that's new, and we'll seewhere we'll take it from there.
Kelly Twigger (27:53):
And those are all that's all functionality that's
in the forensic email collectortool, right?
You've been continuing todevelop that as technology has
changed with Google andMicrosoft.
Arman Gungor (28:02):
That's right.
The first part that Imentioned, Google Walt has
support, that's definitely theirown thing.
But outside of that, yeah, allthe staging packaging and
OneDrive attachments are all inforensic email collector.
Kelly Twigger (28:12):
And essentially what you just described in terms
of the stag, the puttingeverything together in a package
that I can then load into areview platform, will that show
up the same way that physicalattachments used to in a
parent-child relationship withmetadata that supports it?
Arman Gungor (28:28):
That depends on how the review tool handles it,
because it's not exactly anemail anymore.
That's probably somethingthat's worth clarifying too,
because a lot of people havethis question.
And the question when youcollect modern attachments, how
do you output that?
Do you uh insert them into theoriginal email or do you keep
them outside?
And I think that's an importantconsideration.
(28:50):
And the answer to that is we donot put them in the original
email.
And we have a few reasons forthat.
One of them is that once youopen up that original email and
insert modern attachments intoit, then you make very
substantive changes to theemail.
All the metadata changes, myboundaries change, the digital
signatures don't verify anymore.
So you just create a whole newemail, is which is not
(29:10):
desirable.
The second thing is when youconsider the context of
information exchange andproductions, if this is not
clearly communicated, it couldbe a misunderstanding.
Because if I received an emaillike that with a bunch of modern
attachments, I might be misledinto thinking that that's how
that email originated, but it'snot really case, it's a
constructed email that's piecedtogether from different sources.
(29:33):
So that's another potentialsource of confusion.
But probably the mostcompelling reason is that cloud
attachments can be very numerousand very large.
Let's say that an individualshared not a Google Drive file,
but a Google Drive folder inemail, and the folder contained
10,000 items totaling twoterabytes in size.
If I took that 10,000 items andtwo terabytes and shoehorned it
(29:55):
into that one email, they'regonna all have all sorts of
processing problems on the Asyou throw that into your review
tool or do anything with it,really.
So it's really almostunfeasible to do that.
So we chose a different path.
So instead of modifying theemail and putting them in there,
we create essentially zippackages where in the zip
there's the original email.
(30:15):
Like I said before, there's theconventional attachments that
are already in that email.
And then the cloud attachmentsand revisions are also in the
same zip container.
So if you have a review toolthat automatically treats zip
containers as a family, thenthat would be pretty much a
no-brainer.
You'll be good to go.
If you have any discovery toolthat treats zip containers as
(30:37):
folders and doesn't really careabout the parent-child
relationship in there, then youmight have to do some extra work
there.
So that depends entirely on thesolution.
I know that a lot of our userswork with the mainstream
e-discovery hosting providers,the big names, and they all have
found ways to do that in anautomated way to link that to
(30:58):
have that parent-childrelationship.
So I think for the most part,it's an unissue now.
Maybe in the initially it mighthave been a bit of a challenge
because it was new.
But I think probably hostingproviders have already
encountered this enough that nowthey know what to do with it.
Kelly Twigger (31:13):
So yes, if you have your own litigation support
team, and yes, if they'veworked with these issues and
come up with solutions for them.
But let's say that representsabout 5% of the population of
litigators, right?
That the other 95% are going,okay, I don't know what the
questions are that I need to askhere.
And so let's clarify from ajust a high level as a
(31:35):
litigator.
If I'm talking to you as myhead of litigation support or my
person who's responsible forgoing and doing the collections,
what are the questions or whatare the things that I need to
tell you so that you do thecollection in a way I want it
done?
And the flip of that is what doI need to negotiate with the
(31:58):
other side to be able to get towhat I call hyperlinked files
and you're calling modernattachments?
Arman Gungor (32:05):
Yeah, I think like the general description of you
know what you need on the outputside is important.
That's gonna come down to therest of your processing stack
for the most part.
I think it's gonna come down toyou know what type of
structures your YouTuberecognizes as an attachment
family.
Kelly Twigger (32:21):
So the That's tech that's complicated, that's
litigation support, peoplehosting data, strict litigators.
What are the things I need tosay?
So it seems to me I want theemail, I want to know which
version I want, whether I wantthe contemporaneous version or
whether I'm willing to take themost recent version or the
(32:43):
version that exists at the timeof collection.
What are the other things thatI want besides version?
Do I want metadata?
Arman Gungor (32:50):
Yeah, some sort of thing.
Another important thing is youwant to define or decide on how
you handle folders, becausethere's a distinction between an
individual file modernattachment and email, and then
there's a different scenariowhen there's a folder.
What do you do then?
Do you ignore that folder, ordo you want your tool or process
to actually dig into thatfolder and extract everything
(33:12):
that's in there?
Do you want that to do itrecursively if there are any
subfolders that are in there?
So that's an importantdistinction because, like I
said, like somebody could sharethe root of their shared Google
Drive for the whole team, andthat could be really large.
Kelly Twigger (33:25):
So that's another that then so what I'm trying to
articulate for listeners is doI need my team to look at the
data first and understand whatthe issues are that I need to
provide guidance on?
And if this is the other side,how am I gonna ask them?
(33:47):
Am I gonna say, hey, look,guys, I want you to go in here.
I want to know, here's what Iwant to do on versions.
If there are folders at issue,I want you to identify those,
and then I want us to meet andconfer about those specific
issues.
Is that a good approach?
Arman Gungor (34:03):
Yeah, I think in the initial meet and confer, the
two things that I would try todecide on is are modern
attachments part of this?
And if so, are we interested inthe current versions of these
modern attachments or thecontemporaneous versions like at
the time that the email wassent?
So that's the initial decisionto make.
Once we have that, internallyyou might have to do a
(34:23):
multi-step process where you dolike an initial assessment to
see maybe the volume of cloudattachments you have.
Are there any folders therethat have been shared and how
much stuff there is potentiallyin those folders?
And are revisions-wise, youknow, are there any specific
revisions that are reallyrelevant that should be
produced?
So there internally, you mighthave to do like multiple takes,
(34:44):
and then there might be anothermeeting confirmed to confer to
reiterate some of those pointsor discuss further.
But initially, definitely youwant to discuss modern
attachments and the versionissue.
Kelly Twigger (34:56):
If I'm working with a corporate client and I
have access to their Microsoftemail, how can I go into the
email in appropriate custodians'mailboxes?
And I'm limiting that knowingfull well that we're moving away
from custodial discovery.
But let's say I'm going intospecific custodians' mailboxes,
(35:18):
how can I determine which emailsor how many emails have an
attachment, have a hyperlink tofile associated with them?
Arman Gungor (35:24):
Yeah, that's that's a good question.
So there's a way to access yourcustodian of choice or all of
them using Microsoft'sauthentication mechanism.
So authentication-wise, that'seasy.
But in terms of metadata andhow to quickly determine which
ones have cloud attachments,that's something that I do not
(35:45):
recall seeing as a search termin Microsoft's tooling.
Like uh Google has this, forexample, where you could run a
search and identify which emailshave cloud attachments.
I don't recall off the cuff ifMicrosoft had that, I believe
not.
If they don't, then you mighthave to do some type of initial
metadata only acquisition toessentially get some information
(36:05):
about those emails and then gofrom there.
Kelly Twigger (36:07):
But yeah, I don't think what metadata fields
would tell you that there's ahyperlinked file included in the
text.
Arman Gungor (36:15):
Yeah, I don't actually in in addition to
metadata, I think to be on thesafe side, you might even have
to get the body of the messagebecause there's gonna be the
hyperlinks that are in the body.
Kelly Twigger (36:24):
So very so very difficult, if not impossible,
then to determine how manymessages you might have in an
email collection that havehyperlink files in Microsoft's
email.
Arman Gungor (36:34):
Off the top of my head, I didn't have a good
solution for that, but I I willdo some research into that to
see if Microsoft has a mechanismto search for that.
Kelly Twigger (36:42):
I think what we're trying to do here is
identify what the issues are,right?
And that's what comes to whatyou and I discussed previously,
which is the proportionalityconsiderations, right?
What are a party's obligationswith regard to hyperlinked files
when the email service thatthey use doesn't allow you to
filter by which documentscontain hyperlinked files, so
(37:05):
you even have a sense as to howmany are there.
And then to be able tonegotiate from there is very
difficult.
So it does feel to me, based onthe technology as it exists
right now, that in dealing withMicrosoft email, that a number
of the types of processes thatparties have undertaken in case
(37:26):
law is to do a samplingapproach, right?
I will provide you the email,you identify of the documents
containing hyperlinks, whichfiles you want, you come back to
me.
At that point, you might evenbe looking at which version you
want of those files.
And then those files areprovided.
And many parties, there aremany examples in the case law of
(37:48):
parties doing that samplingapproach, right?
We'll come to you with X numberof requests a week.
You get two weeks to respond tothat, you give us those files,
then we can give you X number ofrequests.
Usually it's 20 to 50 every twoweeks or so.
I think the most recent exampleof that is the NRA Uber case.
So do you know, Arman, ifMicrosoft or Google are going to
(38:11):
continue to make additionalupdates to their technology to
help resolve this problem from adiscovery perspective?
unknown (38:17):
I don't know.
Arman Gungor (38:18):
First hand knowledge, but I can only
imagine that they will, becausethis is an emerging issue.
And from what they've done inthe recent past, I think it's
safe to say that they'reexpected to keep moving in the
same direction.
But yeah, I mean what you'resaying is true, and there are a
lot of challenges.
There are more challenges thanwe covered.
For example, in terms ofidentifying which items have
(38:38):
cloud attachments, Google hassome mechanisms to run some
searches to identify them.
But when you actually validatethose searches, what the
searches return is not alwaysexactly true.
When we do our own assessmentof which items have drive
attachments, we find more thanwhat Google returns.
So it's you can't reallyblindly rely on that.
But it could be a good startingpoint to like get the ball
(39:00):
rolling and have a rough idea ofwhat volume to expect.
The other trouble is this: let's say that you have a bunch (39:04):
undefined
of emails and they have cloudattachments, but there's no
guarantee that you're gettingthose cloud attachments because
when you request them, you mightrun into a few issues.
One of them could be that thatattachment is no longer there.
So what if it was inserted thatwould then subsequently
deleted?
There's still the hyperlink,but the file is gone.
(39:24):
The second thing is you may nothave the permission to access
the file or download the fileany longer.
Perhaps you had it and youdon't you lost it later, or
perhaps you never had it andsomebody sent you an attachment
that you didn't have accesspermissions to download.
So there's definitely quite afew moving parts and challenges.
But that's not to say that youknow, well, this should not be
(39:47):
part of e-discovery.
I think it's just good forpeople to be roughly aware of
you know what type of challengesthey might face when they go
down this path and have somepotential solutions and
workarounds for them ready, orat least know that you know
these will need some discussionwith opposing.
Kelly Twigger (40:04):
Yeah, you and you touched on a big important
point, and that is essentiallypossession, custody, or control
as it relates to the files thatare at a hyperlink in a
communication that is otherwiserelevant.
So if I have an email, like theemail exchange we were talking
about before, where I sharethose notes with you who go on
(40:26):
your merry way, I remove youraccess to those notes.
Someone collects your email andthe link that exists is there,
but you no longer have access tothat file.
And so the question becomeslegally, are you obligated to
provide it?
And the answer is if you nolonger have access to it, then
it is not in your possessioncustody or control.
(40:48):
So we've got this nowoverlaying argument or challenge
on top of providing hyperlinkedfiles.
And I think so.
There's the possession custodyor control argument, which is an
issue.
And there's also anotherargument that Doug Austin raises
regularly when we talk abouthyperlinked files, and that is
(41:10):
that preservation of hyperlinkedfiles is very difficult because
of the way that these systemsare set up.
And if you're put on legalhold, but you no longer have
access to that document that Ijust mentioned, and I'm not on
legal hold, then that documentmay never get collected or it
(41:31):
may not get preserved.
And say the document rolls offbased on a retention policy that
otherwise it should have beenon legal hold.
Is there a way that we're goingto be able to can we deal with
that right now?
That preservation issue?
Arman Gungor (41:45):
Yeah, that's that's tough.
And what you mentioned earlieris very true.
And that has actually twocomponents to the control and
ownership and access issue.
There's also the issue of let'ssay I have my mailbox and I
have some Google Drive hyperlinkfiles in there, and a number of
them are mine from my GoogleDrive, but a number of them are
from the outside, people thathave sent me files.
So they're not my Google Drivefiles, I just have access to
(42:07):
them.
So if I have access to them, wecall these shared with me
files.
And both providers, bothMicrosoft and Google, have this
concept.
So are you obligated to alsoproduce these shared with me
files?
If you if you don't have accessto them, then you can say it's
not feasible.
But to the extent that you areable to access them, do you
include them in your production?
That's another challenge.
And then there's that issue oflegal holes, and that was a
(42:30):
potential problem there as well,because Google Drive and the
email data are two separatethings.
You might run into problemswhere maybe the email is held
for retention, but thecorresponding drive files are
not.
So you have a situation where,yeah, you have retained the
emails, but the linked drivefiles are gone, and you can't
really perform a full GoogleDrive hyperlinked export and
(42:54):
production anymore.
So that's another thing thatneeds to be set up.
Kelly Twigger (42:57):
Yeah, that's a huge problem because now for
preservation, we can't just puta legal hold on email boxes the
way that we used to.
Now we have to put a hold onSharePoint sites, Google Drive,
wherever the documents that willbe linked to the communications
might live.
Arman Gungor (43:13):
That's something that the providers will have to
solve.
So for Google, for example,when they allow you to prepare a
hold on a mailbox, then thereshould be an option that says,
do you also want to hold anyhyperlink Google Drive files?
And if so, they should be partof that hold automatically.
Otherwise, it would be reallydifficult for the end users to
handle that because the onlything you could do is hold the
(43:35):
entire Google Drive.
And that's even in some casesperhaps not feasible because of
the fact that some of thosemight become from the outside.
So you have access to them, butthey're not yours to hold.
So there's some retentionchallenges there as well.
Kelly Twigger (43:49):
But yeah, yeah, there are there are legal
questions.
There are significant legalquestions.
And I think we I just did apodcast last month with Judge
Rodriguez from the districtcourt in Texas, and we talked
specifically about thepossession custody or control
issue and whether or not the thetests that we currently use for
possession custody or controlreally hold up under the
(44:10):
technological advancements thatwe've seen in the last decade or
so because it's just thelandscape has changed so
substantially, and the use ofmobile devices to communicate
has just it's really muddied thewaters of e-discovery.
We got very comfortable dealingwith email and attachments and
how we've just blown it up andstarted all over.
I there's a couple of thingsthat else I wanted to ask you
(44:33):
about.
One is you you mentioned to methat there's a second tool that
you've built at Metaspike calledForensic Email Intelligence or
FEI.
Can you tell us a little bitabout what that tool is, what it
does?
Arman Gungor (44:44):
Yeah, so it's an investigation tool that
essentially kind of takes itfrom where forensic email
collector leaves off and startswith already locally available
emails.
So not a collection tool, butworking with email files, MSG
files, PSTs, OSTs, that kind ofexisting email data.
And then allows for emailinvestigations.
The main use case there is ifyou have a case and there's, for
(45:06):
example, email fraud, somebodybackdated an email, there's
maybe business email compromise,a phishing email has been sent,
a wire transfer has been madeto a wrong party because of a
man-in-the-middle attack orsomething like that.
Which is quite common thesedays.
So it is a tool that's designedto kind of deep dive into email
and break it into itscomponents and look at what we
(45:26):
call tool marks.
So you know, when an emailclient touches an email, it
usually leave some marks interms of hidden timestamps and
different headers and things ofthat nature.
So kind of interpret that data,correlate them, and then score
the emails across the board sothat you can load up, for
example, millions of emails andthen have the tool automatically
score them.
(45:47):
So in a large case, you have astarting point of which emails
do I look at first if you knowif I don't know where to start.
That's a problem I personallyhad.
I would be score them by what?
Score them based on howegregious their problems are in
terms of the internalinconsistencies in the email.
Kelly Twigger (46:04):
Oh, okay.
Arman Gungor (46:05):
So for example, the email has some digital
signatures, but they don'tverify, so that's a problem.
Or the email has someattachments, but the date of the
attachment is after the date ofthe email.
That's another problem.
Or the email has some hiddentimestamps in its message
identifiers and things of thatnature, and they don't match up
with the email's apparent date.
Kelly Twigger (46:22):
So all those different data points has a
scoring system for each one ofthose problems, and the more
problems you have, the higheryour score is, and so those get
elevated to the top to look at.
Arman Gungor (46:32):
Exactly.
Yeah, because I would, youknow, I've received some cases
in the past where I would beasked to look at a specific
single email, and when I havethat, it's easy because I know
what to do, and it'll take memaybe a few hours to get through
all the details of the email,but I can solve that no issue.
But when somebody gives me,okay, we've been receiving these
email productions, and here's200,000 emails, and we know this
(46:53):
person is a fraudster, sothere's a bunch of fraudulent
emails here, but we don't knowwhich ones, so figure this out.
That becomes a whole differentproblem because then I don't
have a starting point, and wheredo I even go?
So this mainly solves thatissue where you can throw them
in and automatically score them.
Kelly Twigger (47:08):
So you just load all 200,000 emails into that
tool, it analyzes them, createsthat scoring system, and then
ranks them for you to startlooking at.
Arman Gungor (47:16):
Yeah, it also analyzes them contextually too,
because there are also someproblems in emails that only
come to the surface when youlook at the whole case.
For example, let's say that uh,you know, one of the metadata
fields in emails is calledmessage ID.
It's one of the traditionalemail headers that everybody is
aware of.
So it's supposed to be uniquefor every instance of every
email.
So if you have a specific emailmessage and you made five
(47:38):
copies of it, then yeah, theywill all have the same message
ID.
That's not a problem.
But if you have multiple emailswith the same message ID but
their contents are different,then that's kind of a problem.
How is it that there aremultiple emails that they say
different things but they havethe same message ID?
And this is based on real casesI worked.
We've saw some cases based onexactly this kind of problem
where somebody would producehundreds of fraudulent emails
(48:01):
and they would make mistakes andthey would reuse the same email
template to produce multiplefraudulent emails, and then you
would catch them by thosesimilarities in their emails.
So we also do that type ofcontextual analysis to see if
there are any patterns in thewhole project rather than just
in the one email.
Kelly Twigger (48:21):
I think that's fascinating, and the reason I
think that's fascinating isbecause one of the things that I
focus on is being able toleverage ESI to tell a story.
And what you've just explained,using FEI with fraudulent
emails is a beautiful way to beable to tell a story, right?
(48:42):
With not a significant amountof cost from a legal perspective
to be able to do thatinvestigation and understand a
story that otherwise with peopleand just looking at data with
my naked eye that I wouldn't beable to tell.
So if someone says to me, thisemail's fraudulent, I don't know
(49:04):
where it came from, we can useyour tool, someone can use your
tool, you could use your tool tolook at it and be able to tell
us what is wrong with it, why weknow that it's fraudulent.
Arman Gungor (49:13):
It's true.
And you know, I would like yourlisteners to take one thing
from this.
You know, email evidence isobviously very prevalent
everywhere, but unfortunately,because it's textual, it's also
very easy to modify.
So when you have key smokingand emails in a case, I would
refrain from taking them withface value by default because a
lot of times they are uhpossibly modified.
(49:35):
I've seen so many cases wherethere was email fraud and so
blatant fraud that you wouldn'tthink somebody would actually do
this and put it in front of ajudge, but they do anyway.
So it pays to at least quicklytry to verify those emails'
authenticity, and it's easy todo in most cases because they
have digital signatures that arevery easy to verify.
If you have a receiver's copyof an email, essentially what
(49:58):
happens is as the email travelsfrom the sender to the
recipient, the servers on theway along the way sign the
message with their private keys.
The technical details of it arenot that important, but the end
result is that at the end youhave an immutable digital
signature that tells you whetherthe email is changed or not
since it's been signed.
(50:19):
So it makes it really easy toverify okay, the email's message
body and the attachments and acertain set of key header fields
may have been changed or couldnot have been changed by anybody
else after it's been sent andreceived.
So that's a very quick check todo, and I think it's incredibly
valuable, incredibly valuableto essentially have like as a
(50:39):
first line of defense, you havea key email, have it checked or
check it yourself, easy to do tosee what that signature says.
If it's bad, then that mightwarrant some further looking
into to make sure you knowyou're not dealing with fake
evidence.
Kelly Twigger (50:54):
One of the things that's that's fascinating, and
I one of the things that comesup for us as litigators on a
regular basis is timing, becauseit may be two days or a day or
five hours before a depositionwhen we're sitting down with an
email and we're looking at itgoing, this doesn't seem right
to me.
This just doesn't, there'ssomething off here, and I don't
(51:18):
I can't do what you can do withyour tools or with your
knowledge.
But when I how long does ittake if I called you and said,
Arman, I need your help lookingat this email?
I'm gonna postpone thisdeposition for a week.
Can you help me take a look atthis?
Tell me what you need.
What is the timing associatedwith that?
Like how quickly can you helpsomeone?
Arman Gungor (51:35):
If you have an email, like an individual email
you're interested, and if youhave it in the right format, to
do a preliminary check like thisand verify digital signatures
is press a button and you getthe results.
That's not really a fullexamination of you know every
little bit in the email, butthat gives you like a
preliminary, very quickassessment.
But the right format isimportant, and that is where
(51:56):
we're going back to you knowhaving the emails collected in
the right format.
And we had this discussionabout, for example, Mbox versus
PST earlier.
It is important to stay in theright and original format of
these emails because all thosedigital digital signatures are
out the window once you convertthe emails.
Kelly Twigger (52:12):
So if you have what is the right original
format of an email?
Arman Gungor (52:16):
Typically, that's going to be a MIME message.
So, similar to, for example,let's say you have a Gmail
account, you go to gmail.com andyou click on your email and you
say download original, it givesyou an email file.
That's the original MIME email.
Same thing with Yahoo! You saydownload raw email message, I
think for Yahoo, and it givesyou the same format.
So that's that's the universalformat called internet message
(52:36):
format, and that's how theemails travel over the internet.
So the digital signatures thatare applied to the emails are
essentially calculated based onthat format.
So once the email is convertedto a different format, like
going from email to PSD, forexample, then the signature is
totally invalid now, so you justlost that ability.
Kelly Twigger (52:56):
So in all this that because you said Microsoft
doesn't store its emails asmimes.
Arman Gungor (53:02):
Yeah, exactly.
So Microsoft breaks it apartwhen you export from Microsoft
though.
Initially they didn't have away to do this, I think, but
they have a way to store whatthey call the MIME skeleton of
the email so that they're ableto rehydrate and give you that
MIME message when you make arequest against their API.
So Microsoft also does supportMIME email collections, but
(53:24):
there are some challenges there.
One of the issues withMicrosoft is that as part of
that intake process, they modifythe email contents.
So when I receive an email as aMicrosoft user, for example,
when my received copy arrives inmy mailbox, I find that the
HTML body of the email isslightly different than what the
original sender had composedbecause of some internal
(53:46):
processes they have, and thatinterferes with the digital
signatures.
To a small extent, that isreversible because we know what
that is.
So if I have a relatively briefemail with not too many bells
and whistles, I can actuallyundo that and still verify the
signature, which I've done inthe past.
But as the emails get morecomplex with a lot of
attachments and lots of body andstuff, then that becomes very
(54:08):
difficult.
And I see that as a majorproblem and as a negative
towards Microsoft's systemsright now.
I hope they they fix that issueso they can give you
unadultered emails in the nearfuture.
But that's only Microsoft rightnow.
I mean, pretty much all theother providers deal with MIME
and they don't really change thecontents of the MIME emails.
(54:30):
So as a general practice, evenif you are accustomed to using
PSD format, which a lot of usare in the eDiscovery, it's the
format to use for informationexchange.
If you deal in PST format, Iwould say also collect MIME
copies of these emails as aninsurance policy because you
never know.
Kelly Twigger (54:48):
And you go back if you've preserved the emails
and they're still existing onthe Microsoft.
I was gonna say server, butobviously it's not a local
server anymore.
If they're still existing inthe Microsoft environment, you
could always go back andrecollect it in a MIME format,
right?
If necessary.
Arman Gungor (55:03):
Well, it might be too late though, then.
But you know, that might besome situations where the email
is no longer available.
Kelly Twigger (55:09):
I would say make it part of the email, preserved
if it's on hold, and you couldgo back and recollect it in the
MIME format if necessary.
Yeah, because I don't thinkthere's a way to do a second
pass if you might startcollecting something in MIME, as
opposed to in their PSTs, theway that the because that's a
standard export from Microsoft.
Arman Gungor (55:28):
The problem that I've seen is this usually case
timelines are pretty long, asyou know.
So when the project starts,when there's a dispute, there's
an initial preservation, and bythe time the case is adjudicated
and it comes in front of thejudge, and there's maybe some
concerns of authenticity and allthat stuff, several years may
have passed.
So by then by the time you goback and revisit that, you may
(55:52):
have lost context.
And there's another issue whenyou preserve the emails, you
we're not only interested inwhat's in the emails, but
there's additional informationabout the emails, which we call
server metadata, essentiallycontextually information about
the emails that are not in theemail itself.
And to give you some simpleexamples, for example,
identifiers of these emails areusually sequential.
So you might have some sequenceinformation from the email
(56:14):
folder, right there, as in youknow it's emails 5678, for
example.
But if you look at email numbersix, its date is completely out
of sequence, so there's a bitof a discrepancy there in terms
of the sequence of these emails.
So there's a lot of clues therethat lie in the server
metadata.
And by the time you come backand revisit that case in two
years and try to dig into that,it might very well be too late.
(56:37):
So all the preservation stuff,I would highly recommend to take
care of in that initial phaseof preservation and not leave it
for like, okay, if there's adispute, we'll deal with it
later and in the future.
Kelly Twigger (56:49):
No, I completely hear you.
And that's the second or thirdtime that something that you
said has prompted me back toanother theme of mine, which is
you need to be doing this veryearly.
You need to be engaged with allof these data-related issues
very early on in the case, thatwaiting, as we often do as
(57:10):
litigators, until you get totrial to try and address some of
these issues, you're going toend up in a world of hurt
because the way electronicinformation can go away,
regardless of your bestintentions, to be able to keep
it in place.
And so that can be a tremendousproblem.
So I think that early planning,that early engaging with the
information, the early focus ontelling your story and what you
(57:33):
need to be able to tell yourstory is so critical in terms of
understanding but addressingall of these technological
challenges that come withgetting the information.
And one of the things that Italk about a lot is that we
really have two separateobligations in discovery.
One is to find the informationto allow us to tell our client's
(57:57):
story.
And that's perhaps your primarygoal.
But the second is to meet yourobligations to provide
information and discovery underthe rules.
And oftentimes we get toofocused on meeting our
obligations to provide discoveryand not on telling the story.
So I think what your thisentire conversation has really
emphasized for me is that you'vegot to focus at the outset
(58:22):
about what is the evidencethat's going to allow you to
tell the story and how are yougoing to get that in front of a
court.
And you got to try to addressthose technological issues
early.
Otherwise, you could end up,like you said, with not being
able to have either the form orthe information at all to be
able to recreate that story.
Arman Gungor (58:43):
It's true.
And I think you can go even alittle bit further back because
if you are, for example, generalcounsel for a corporation, or
you are essentially thecorporation that's planning to
have some type of litigation inthe future, like possibilities.
I think, like, you know, whenyou're setting up your IT
systems, you're essentiallyabout to settle into a workflow,
(59:04):
and that might involvecollaboration tools, it might
involve cloud storage tools.
I think before you really getstarted fully, it pays to kind
of evaluate your stance in termsof e-discovery readiness.
Because, you know, let's sayyou're going to use Provider X
and they support modernattachments and they support a
collaboration tool.
It's really cool.
But from day one, I would sitdown and say, okay, what would
(59:27):
happen if we got into litigationtoday and if we were asked to
produce all this stuff?
What are the steps that we needto take?
So to do like a dry run,basically, and figure out
exactly what would have tohappen for you to be able to
pull that off before you usesomething like confidential mode
in Google or the end to endencryption in Google, for
example, that's relatively new.
Is it really feasible to havethose features and at the same
(59:50):
time be reasonably ready forlitigation?
If it's not, then you mighthave to restrategize before you
really settle into thatworkflow.
Because otherwise, by the timeseveral years.
Pass and you have accumulatedterabytes of data and you know
thousands of modern attachmentsand encrypted files, you might
find yourself in a deadlockwhere you're ordered to do one
thing, but the reality is youjust can't do it.
Kelly Twigger (01:00:14):
Yeah, that's spot on.
I think knowing what yourcapabilities are before you even
get into litigation, but at thevery least, identifying them as
soon as your duty to preserveattaches or you reasonably
anticipate litigation is socritical because otherwise we
find ourselves agreeing to allkinds of things that we then
(01:00:35):
can't meet.
And we get in these huge longnegotiations about what we're
able to provide, whether it'shyperlink files or anything
else.
So this has been a fant afascinating conversation, Armin.
I'm so appreciative.
Thanks so much for joining uson the Meet and Confer podcast.
Can you, before we go, telleveryone whether if they don't
have FEC or FEI and want to haveaccess to those tools and
(01:00:57):
training, how they can getaccess to those?
Arman Gungor (01:01:00):
Yeah, sure.
Our website is Munaspike.com.
Our software and pricing andeverything is there.
So we work with online orders,so you can go pick up a license
there if you like.
We usually have live virtuallive training every six months
or so.
We have actually a forensicemail collector training coming
up in five days.
So in those trainings, weessentially try to cover it soup
(01:01:20):
to nuts from modern attachmentsto in-place searches, exports,
all kinds of details.
So it's helpful to kind of wrapyour head around what the
possibilities are and getinvolved in using the tool
fully.
We have another training that'son forensic email
investigations that's actually arandom neutral training.
It's not based on our own tool,but it's just a general email
(01:01:43):
investigation training programwhere we take you through my
messages, kind of similar to thethings we discussed.
What are the email headers?
What are digital signatures?
What are some marks of fraudand manipulation of emails?
What are the possibilities thatproviders offer for capturing
server metadata, evaluatingthose practice labs and stuff
like that?
So all that isMetaspike.com.
(01:02:04):
A lot of you might have me ontheir LinkedIn so you can reach
out to me there if you like, andwe'll go from there.
Kelly Twigger (01:02:11):
Fantastic.
All right.
Thanks so much, Arman.
We'll have to follow up againas the technology continues to
change and our capabilitiescontinue to change, specifically
as it relates to hyperlinkfiles.
But I'm so grateful for youbeing here today.
Thanks so much for joining usand imparting all your wisdom.
Arman Gungor (01:02:26):
Thanks for having me.
Thank you.
Kelly Twigger (01:02:31):
That's it for today's episode of the Meet and
Confer podcast.
Thanks for joining me, and ahuge thank you to Arman Gungor
for sharing his expertise onhyperlinked files, modern
attachments, and the constantlymoving target of cloud-based
email and document workflows.
It gets complex in thee-discovery workspace, and we're
incredibly grateful to folkslike Arman who are spending
(01:02:51):
their time figuring outsolutions for us to be able to
find the evidence we need totell a story with ESI.
If this conversation has yourethinking how you're handling
discovery or realizing how manyassumptions you're making about
hyperlinked files, versions, andaccess, that's exactly why I
built Minerva 26.
It's a discovery strategyplatform that helps litigators
(01:03:14):
create and validate theirdiscovery strategy by connecting
case law rules and real-worldworkflows, such as how to
identify and handle hyperlinkedfiles, so that you can make
faster, more defensibledecisions that shape your
emotions, protect yourcredibility, control costs for
your client, and let you get theinformation you need to tell
(01:03:36):
your client's story and win.
To see how Minerva26 can becomethe strategy hub for your
discovery decisions, head toMinerva26.com and schedule a
strategy session or request ademo.
Until next time, rememberDiscovery isn't just a box to
check, it is your litigationstrategy.
Leverage ESI to win.
Welcome to the Meet and Confer Podcast.
I'm your host, Kelly Twigger.
I'm a practicing attorney andthe CEO and founder of Minerva
26, a discovery strategyplatform that helps litigators
create and validate discoverystrategy by connecting rulings,
rules, and workflows so they canmake faster, defensible
decisions that protectcredibility and control costs.
(00:33):
If you're afraid of what to dowith ESI, we're here to help.
Today I'm joined by ArmanGungor, who also has two roles
in the e-discovery space.
Armand serves as the vicepresident of forensics at
Meridian Discovery and is alsothe founder of Metaspike and the
creator of Forensic EmailCollector and Forensic Email
(00:56):
Intelligence.
Arman has been right in themiddle of the hyperlinked files
and modern attachments battlessince 2021 when Judge Parker's
decision in Nichols v.
Noom first pushed his work withForensic Email Collector into
the spotlight.
We're going to unpack whathyperlink files really are, what
Google and Microsoft actuallygive you today, how tools like
(01:19):
MetaSpike's change what'sreasonable in discovery and what
all of this means for yourobligations and your strategy.
If you've ever looked at anemail with a link instead of a
PDF and thought, what exactly amI supposed to do with this?
This episode is for you.
Let's dive in.
Arman, thanks so much forjoining me today.
(01:40):
I really appreciate you beinghere.
Thank you.
Arman Gungor (01:42):
Likewise.
Thanks for inviting me.
Kelly Twigger (01:44):
We have a an important topic to talk about
today that I know is somethingyou became quite famous for in
2021 when Judge Parker wrote theNichols v.
Noom decision, and theplaintiffs argued that Noom
should use your forensic emailcollector tool to collect
hyperlinked files in thatparticular case.
(02:08):
And the court actually declinedto order them to do so because
they'd already done aproduction.
But I think it was the firsttime for me that your tool and
you became in the spotlight ofthis hyperlinked files issue.
So I really appreciate youbeing here today.
And I wanted to talk to youabout this because I think one
(02:29):
of the challenges that we havein Discovery now, because it's
mostly all ESI, is this notionthat technology keeps moving
forward.
And we as lawyers, ourobligations keep changing.
We keep needing to understandmore about the technology and
(02:50):
the technical aspects in orderto make uh crucial strategic
decisions for our clients interms of discovery.
And hyperlinked files is one ofthem.
So I will I'm gonna turn itover to you to let you describe
the problem and I'll jump in.
Arman Gungor (03:09):
Yeah, thank you.
Sure.
So what we mean by hyperlinkedfiles is when there's an email,
we are used to having theconventional attachments of
emails, which will be actualfiles.
But what happens when somebodyinstead of sharing an actual
attachment, they share ahyperlinked file in the body of
an email.
And that could be a deliberatechoice, as in you know, somebody
just clicks the share buttonand they share a file with
(03:31):
someone, or it could besomething that's enforced by the
provider.
For example, Google does thisfor, I believe, attachments over
25 megabytes.
And if you try to attachsomething large, it'll become a
Google Drive file, and then ahyperlink will be embedded in
the email.
So what happens if somebodyshares a file?
And it doesn't have to be afile, it will also be a folder.
(03:51):
So if somebody shares a file ora folder, what do you do then?
Does it become part of theemail?
Is it within the scope ofdiscovery?
What happens if you don'tinclude that at the at the time
that you perform the forensicpreservation?
So that's the challenge.
I think the first part of thequestion, as in, you know, is it
part of the email's context, ispretty straightforward.
(04:12):
I think it is definitely partof the email's context.
And if you look at those emailsand somebody's talking about
the attachment, and if it's notthere, then that's that's
trouble.
Kelly Twigger (04:20):
So that part is You know, that interesting point
that you raise because JudgeParker, in that one decision I
mentioned to you, said that itwas not an attachment, but the
courts since then have prettymuch conceded that hyperlinked
files that are referenced in acommunication are attachments.
Can I just clarify two pointsfor you?
One is we can have hyperlinkedfiles anywhere, right?
(04:42):
It's not just limited to email.
They can be in text messages,they can be in WhatsApp
messages, any kind ofcommunication where you're
sending text and you can includea link.
A hyperlink file can be in anyof those.
Okay.
All right.
And I had a second point whichI've completely forgotten, so
I'll come back.
Arman Gungor (04:59):
Well, that's that's all right.
But you know, when I wastalking about that, I kind of
danced around that attachmentphrase because yeah, maybe
technically they may not becalled attachments, but what I
said is are they in the contextof the email?
And I think, you know, thereasoning for how the production
is defined and how we alwaystalk about families and
(05:20):
parent-child relationships, thefact that if it's an attachment
or something else is not reallythat relevant.
I think what's important is isit in the context of the email?
As in when you review theemail, do you really need to
refer to that file to get thefull context of what's going on
there?
And I think the answer to thatis yes, you have to have that
context to decide what'shappening.
(05:41):
And I've experienced thismyself personally.
I've had some cases like thatwhere even not in a corporate
scenario, individuals usingregular free Gmail they would
exchange some files as GoogleDrive hyperlinks, and when you
come to examine those emails, oreven in the discovery context,
when you need to review them andmake decisions, if those files
are not there, you just let lostthe whole context, as if
(06:03):
somebody just dropped theconventional attachments of an
email.
So contextually, I think it'sfairly straightforward.
But as far as the productiongoes, should it be your standard
operating procedure?
I think that very much dependson scope and again context and
proportionality.
Because in a case where thereare a few mailboxes and it's not
(06:26):
overly burdensome, I think it'san easy decision.
When it scales up, there aredefinitely some challenges, and
they depend on the provider aswell.
Providers have different takeson this, they have different
APIs and they have differentcapabilities, and there are
varying levels of difficulty ingetting those Google Drive or
Microsoft OneDrive or SharePointfiles out of the provider and
(06:49):
linking them with the emails.
So that part is a little bitopen to discussion, and maybe
it's like on a case-by-casebasis.
Parties need to figure out ifit should be considered in
context and part of theproduction.
But that is really thechallenge that we're trying to
solve.
And yeah, you mentioned that2021 case and the landscape has
changed a little bit since then.
And I'm happy to see that theproviders have kind of tried to
(07:11):
adapt.
And I saw that Google actuallyupdated Walt to include that
hyperlinked attachment supportlast year.
So now, even if you don't use aspecialized software, but if
you're doing a regular GoogleWalt export, you could get
hyperlink Google Driveattachments out of Walt.
Kelly Twigger (07:29):
So I'm going to stop you just to make sure
everybody's on the same pagebecause a lot of folks use
Microsoft, right?
So you either use Microsoft oruse Google.
Some people will use Google fortheir free email, so they might
use it for their personal mail,but exporting it for purposes
of discovery never kind of comesinto play.
So for folks who use GoogleApps, of which Google Mail is
(07:50):
one, there's an archive solutionthat can be turned on with
Google Mail called Google Vault.
And what you're saying is thatlast year, so in 2024, Google
Vault added functionality to itthat allows you to collect
hyperlinked files directly fromGoogle Vault.
Is that right?
Arman Gungor (08:10):
That's right.
There is definitely somenuances there.
It doesn't get you 100% of theway there because of, I would
say, two main things.
One of them is the way GoogleVault is doing it now is a very
efficient way, and you canexport a number of custodians
all in one go, kind of similarto what you do with Purview.
And whatever Google Drive filesare associated with those
(08:32):
mailboxes, the related GoogleDrive files will be exported all
together as a single instance.
So if that Google Drive filehas been referenced 75 times
here and there, you're gonna getone instance of that.
And there's a reference filethat allows you to kind of match
it up with where it should go.
Kelly Twigger (08:50):
Now this so the reference file allows you to
match up the communication.
So let's say in this case, thecommunication is an email to the
actual file.
And if the file, if that ifthere are 75 times in the
collection, there are 75different emails in which that
file is referenced, it will onlybe collected one time, but
(09:14):
there is a ref, what did youcall it, a reference ID that you
can match with thecommunications to the file so
that all 75 communications wouldhave that reference ID to that
one file.
Arman Gungor (09:26):
That's right.
So which makes sense from anefficiency standpoint.
There is no point inrecollecting the same Google
Drive file 75s, which we didwith attachments over and over
and over again.
Kelly Twigger (09:37):
So this is actually more efficient.
Arman Gungor (09:39):
Yes, efficiency-wise, that's perfect.
One part they're missing isthat they don't offer a way to
reconnect those things for you.
So that's left to the user, andnot every user is able to do
that.
So when you want it to be readyfor e-discovery ingestion, you
have this set of emails and youhave this set of unique
instances of Google Drive files,but they're not really in any
(10:00):
way connected directly.
So you have a couple ofoptions.
One of the options is you wouldhave to write your own process
or scripts or whatever andreorganize them in a way that
has some type of connection thatis compatible with your
e-discovery solution.
When we saw this, we jumped onit as well and we built that
into forensic email collector.
So we wanted to take that as astarting point, as if you're
(10:22):
collecting from Google's APIsdirectly, but start with a
Google Vault export andreorganize it in a way that kind
of mimics a forensic emailcollection.
So everything is packaged.
There are Google Driveattachment packages where
there's the parent email and theconventional attachments and
the Google Drive attachments inone place for that parent-child
(10:43):
context.
But that was one of the thingsthat they're missing.
So that support is there.
It's not a hundred, it doesn'tget you 100% there if you don't
have the practices and whatyou've got to have, you can't do
it yourself, right?
Kelly Twigger (10:55):
I can't export from Vault.
And I'm fairly savvy when itcomes to those things, more so
than most litigators.
But you can't I can't do itmyself unless I've written some
sort of script that allows me totake that ID and link it back
to the email communications.
Yeah, and that's one of thethings that forensic email
collector, your tool, does.
Arman Gungor (11:13):
Yes, if you have if you had just two, three
emails, then you could probablylink it yourself manually.
But if you have millions ofemails, then you definitely have
some type of automated processto do it.
And it's not an insurmountableproblem, really.
It's solvable, but it does havesome challenges because part of
the problem also is that notproblem, but part of the
challenge is that the emailscome in containers, so you don't
(11:35):
get individual emails, but youget either PST files or inbox
files, which are essentially abunch of text-based emails
combined together, likeconcatenated.
You have a question there.
Kelly Twigger (11:47):
Yeah, I do because I want to make sure.
So inbox, the inbox containeris what comes from Google, just
so listeners understand thedifference.
So the inbox container is whatcomes from Google, and the PST
is a Microsoft containercreation, right?
Arman Gungor (12:01):
Yes, but Google also exports in PST format to to
accommodate users who wantthat, I think.
So you have both options whenyou do, right?
Kelly Twigger (12:09):
It had always been inbox, was Google's
standard functionality, butthey've since added PSTs because
Microsoft users wanted it.
Arman Gungor (12:16):
I think it's been a few years that they've had
that functionality, but yeah,initially it was Mbox only.
And the reason for that isclear on Google's back end,
these emails are MIME emails, sothey're text-based emails.
So in when you stay in thatrealm, then the container format
for that is Mbox, which isessentially a bunch of MIME
emails just concatenatedtogether with a little bit of
(12:36):
formatting sprinkled in there.
So for Google to go from thatto PST is kind of artificial in
a way, because there is noreason for Google to have PST
output.
Kelly Twigger (12:46):
What's the difference between an Mbox and a
PST?
Arman Gungor (12:48):
PSD is Microsoft's format, and they have a whole
different take on this.
They have essentiallyindividual mappy properties, is
what they call them.
So it's like a containerindividual what properties?
Mapy.
So Microsoft's specificationand architecture for email,
essentially.
And in a MAPI container, wehave a bunch of different
(13:09):
properties, and they are storedin some type of fashion that's
not really defined in thespecification.
So you could have it beanything you want, but
Microsoft's take on is is to usethe compound file binary
format, which is essentiallywhat used to be the Microsoft
Word files and stuff like thatback in the day.
So that there's essential thatcontainer, and inside that
(13:30):
there's a bunch of streams, andeach stream contains a mapping
property.
But the gist of it is thatthere's a bunch of different
compartments in an email, andeach compartment, each property
stores a different aspect of theemail.
So one of those propertiescould be, for example, the
headers of the email, one ofthose properties could be the
text-based body of the email,one of them could be the
(13:51):
HTML-based body of the email,and a ton of others.
And presumably the reason forthis is that Microsoft's
architecture is a lot morecomplex than just email, right?
So you have Outlook.
In Outlook, you have emails,you have calendar items, you
have contacts, you have thepossibility to add warning
buttons into email.
So there's a lot of rich stuffthere that doesn't really fit
(14:11):
with the traditional MIMEstandard.
So you can't take all that richfunctionality and turn it into
a MIME email without any extrabells and whistles.
So to be able to store andhouse all this, they have to
have a database type system, andthat is essential their map
containers.
And when they export, they wantto preserve all that stuff that
they have on the server.
So they put it into a uh PSTmapping container that houses a
(14:35):
bunch of mapping properties andindividual messages in that in
essence.
So for Microsoft, this makessense because they have that
kind of architecture on the backend and they kind of reflect
that when they export it out.
For Google, when you exportindividual email, you see that
they have them as individualMIME messages.
So for them, it makes sense toexport Mbox files because
(14:56):
they're just concatenating abunch of them and getting them
out to you.
Kelly Twigger (15:01):
Make it really, I'm gonna break it down.
Google, simple.
Microsoft, complicated.
Arman Gungor (15:06):
Well, you could maybe you could boil it down to
that.
I mean, Google has a lot ofcomplexity too, but in different
ways.
But from a compliancestandpoint, I think that that's
a fair assessment.
Google Vault and Google's takeon email seems to be a little
bit simpler and easier to graspthan Microsoft because of all
the stuff that they'veinterconnected.
There's exchange, there'steams, there's there's a lot of
(15:27):
stuff going on there.
Kelly Twigger (15:28):
Yeah, just listening to that last two
minutes that you gave me, whichfor me being highly technical is
interesting to me.
I'm guessing everyone else isjust a lump over their heads.
Because it just that's whatmakes this, that's what makes
eDiscovery so hard for lawyers,is there are so many
responsibilities that litigatorsalready have, and being able to
understand this technicalinformation is difficult.
(15:51):
And it's just another job.
And so folks like you whoprovide forensic services in
litigation support who aresolving these problems are so
critical.
But I think just to take itback for a minute to the high
level for the lawyers, becausewhen we used to collect email
with physical attachments, whichvery rarely exist now, we had
(16:17):
an email, then we had the actualattachment.
And when they showed up in ourreview platform, we would have
the email actually there, andthen the very next document
would be the attachment, andwe'd have metadata that showed
the parent-child relationship,and we'd have all the metadata
for the attachment as well.
Now that we're collectingdocuments at hyperlink files,
(16:38):
how are we able to deal with theparent-child relationship?
You talked a little bit aboutthat ID structure from Google,
and I want to talk about it fromMicrosoft, but the version is
another issue that we come intowith that relationship.
And that is if I sent an emailto you today and I send a link,
(17:03):
let's say I send a link to thenotes for us to prepare for this
podcast, and you go into thosenotes and you make a change to
that, um, to those notes, and sothere are additional edits, and
you send me an email back andsay, Yeah, I've done some
updates.
Let me know what you think.
If we go and collect thoseemails, when we collect both of
(17:23):
them, let's say they're a Googlewill give us an ID that will
allow us to connect that samedocument to both emails, but
won't the version be the versionthat exists at the time of the
collection?
It's not gonna allow me tocollect the version that existed
when I sent it to you and thenthe version that existed when
(17:44):
you sent it to me.
It's only gonna collect themost recent or what we call the
contemporaneous version.
Arman Gungor (17:51):
So before we get into that, let me backtrack and
finish that last thought we hadbecause the reason we got into
Mbox versus PSD was one of thechallenges in the Vault export,
which I was saying that theycome in a container.
So the challenge that'sassociated with that container
is that you don't haveindividual messages to go and
tie to the individual items inthat reference file.
You have a container full ofemails, so you have to also
(18:13):
figure out how within thatcontainer the individual
messages tie with thosemessages.
Kelly Twigger (18:18):
So it's another level of complication with the
PS.
Arman Gungor (18:21):
There are some breadcrumbs there that we use,
and there's a good 100% accurateway to match them up, but
again, another challenge tosolve basically.
The second challenge was whatyou're just getting into now,
which is the versions problem.
And Google Vault currently doesnot do this.
So if you get the hyperlinkfiles from a Google Vault
export, it only gives you whatwe call Google Drive
(18:42):
attachments, and which would bethe current version of those
Google Drive files.
But it doesn't give you anyolder versions that fit the
email.
But what you mentioned is true.
So if you have a situationwhere there's an email and
there's a hyperlink file, andthe email is let's say sent a
few years ago, and the legalteam is interested in seeing
what that file looked like backat that time as the email was
(19:05):
being sent, then you get intorevisions in the Google world
and versions in the Microsoftworld, similar concepts.
So the good news is theproviders track those versions
of the emails.
So when you talk to, let's say,Google Drive API, you're able
to say, here's my file ID, and Iwant to see what revisions of
this file you have, and then youget a list back, and then you
(19:28):
can see what the dates of thoserevisions are, and you can
figure out okay, this revisionprobably goes with this email
based on the timing.
So you can pick the appropriaterevision, or you can get all of
them if you feel like seeingexactly how that file changed.
Kelly Twigger (19:40):
So if I'm a if I'm a receiving party, I've
received a production from you,and in that production, and I'm
gonna assume for purposes ofthis that you and I have agreed
as counsel that you'll providecontent to me, you'll you'll
provide metadata that tells meif there's a hyperlink in a
(20:01):
message, in a communication.
I can then filter in my reviewplatform once I've loaded your
production by the documents thathave hyperlinks in them.
I can then decide, reviewingthose documents, which hyperlink
documents I want.
And in addition to telling youwhich hyperlink documents I
(20:23):
want, I should tell you that Iwant which version I want.
Arman Gungor (20:29):
That's true.
Usually, in my experience, thismostly happens at the time of
collection.
So as opposed to a two-stepprocess, the parties decide,
okay, we want the Google Driveattachments to be in scope.
And then when collecting them,we want to either collect the
current version for all of them,or we want to choose the
specific version that goes witheach email, which we call the
(20:52):
last revision before the sentdate of the parent email, and
you automatically get thatversion and you have that in
your database.
But in some cases, internally,it might make sense before
production to do like atwo-phase process where you
don't actually get into allrevisions and all Google Drive
files and perhaps make aninitial collection and turn it
(21:12):
over to your internal legal teamfor preliminary review, and
then they identify hey, okay,these are the emails where we
are interested in the modernattachments, and we want to see
this revision based on date, forexample.
Then they can get back to theto their technical team with a
list like that and say, hey, wewant you to go back now and pull
these specific revisions for usfor these emails, and then you
(21:33):
can load that up.
Kelly Twigger (21:35):
Okay, so two options then.
One the parties agree at theoutset either to receive
contemporaneous versions or theversion that existed at the time
the email was sent.
If that's the option theparties take, is there a manual
process?
And I'm thinking aboutproportionality considerations.
(21:56):
Is there a manual process foryou as the provider to provide
though to give me the versionsthat were created at the time
the email was sent?
Arman Gungor (22:09):
It's automatic.
So forensic email collectordoes that assessment for you.
It'll take a look at the dateof the email, it'll get a list
of old revisions, evaluate theirdates, and pick the right
revision based on the timingcorrelation there.
If you wanted to do itmanually, then yeah, there would
have to be some type of processaround it to kind of automate
that.
Kelly Twigger (22:30):
So forensic email collector will do that for you.
It will give you the versionthat was sent at the time the
email was sent.
But is there built-incapability within Google or
Microsoft to do that currently?
Or do you have to have anoutside tool, like for instance?
Arman Gungor (22:44):
Yeah, I don't think they do that.
Google Vault just exportstoday's copy of the to the
modern attachments, and Ibelieve the same for Microsoft
right now.
So there is no you know,specific revision for an email
at the moment.
Kelly Twigger (22:57):
Okay.
Just I'm just gonna clarify onemore time, just because I know
everyone listening, this isgonna be an important point for
them.
And that is that if you want tobe able to collect the version
that existed at the time acommunication was sent, you're
likely going to need to use athird-party tool like a forensic
email collector to be able todo that, because that
(23:20):
functionality is not native toMicrosoft, whether that's
purview or to Google.
Arman Gungor (23:26):
It's not built into their ready-made discovery
tools.
It is native to them in thesense that it's part of their
API.
So if you know how to talkprogrammatically to their
systems, you could do ityourself too.
But it it requires you todevelop some software basically.
So if you're looking atoff-the-shelf products, then
you're right.
They're built-in e discoverytools, don't do that currently.
Kelly Twigger (23:45):
Okay, great.
Thank you for thatclarification.
I'm gonna ask you one morething, and that is because a big
part of this podcast is tryingto help lawyers learn the
technology and the terminologyso they can speak it and feel
more comfortable with it.
And we've used the term API acouple of times.
Can you explain what an API is?
Arman Gungor (24:03):
Yes, it stands for application programming
interface.
So it's a special interfacethat a provider offers for usual
software developers to be ableto talk to their systems in an
automated way and to do thingsthere.
That's what we use.
For example, when we talk toGoogle, we use the API to make
specific requests, such as, hey,give me this file or give me
this email.
What's the data on this email?
(24:24):
Kind of automatedcommunications with that
service.
Kelly Twigger (24:29):
Great.
Thank you very much for that.
I'm gonna switch a little bitbecause part of what prompted
our discussion was thediscussion that you had with
Rocky Messing and Tom O'Connor,I think it was almost a year ago
now, about this very topic andabout some of the capabilities.
And when you and I weretalking, prepping for today's
(24:50):
discussion, you said there'sbeen a lot of changes since that
call that we need to talk aboutin terms of the capabilities of
the tools.
What are those updates in termsof what's changed in the last
year?
And what do those continuingchanges mean for us as
litigators and what we need tobe thinking about in the
(25:12):
hyperlink files area?
Arman Gungor (25:13):
It is constantly changing, it's an evolving area,
as you might expect.
So on the Google side, like wementioned, there's support now
natively from Google Vault toexport hyperlink files.
So that was kind of a bigchange, and we kind of matched
their speed there and we builtFEC around it to support the
same thing.
On our side, there have beensome additions in the model
(25:34):
attachment area in terms ofMicrosoft.
We added first support foracquiring OneDrive files and
SharePoint sites entirelywithout related to emails, so
essentially just collectingOneDrive as a whole or
SharePoint as a whole.
And very recently, we alsoadded support for OneDrive
attachments of emails orSharePoint attachments of
emails.
(25:54):
So kind of the same path thatwe took with Google, replaying
that same playbook on theMicrosoft side and starting with
the OneDrive attachments, andthen we will continue to add the
advanced features to bring iton par with what we do for
Google.
And a couple of things we didrecently is also around that a
(26:15):
mirroring of cloud attachmentswith their emails.
What we initially did was whatwe call drive attachment
packages, which was essentiallya bundle of parent email
conventional attachments anddrive attachments and revisions
all in one package.
And now we took that a stepfurther recently, and we do
something called staging now,which is essentially an extra
(26:37):
preparation step that takes kindof cherry picks either the
original email or the modernattachment bundle, depending on
whether or not that email hadmodern attachments.
So let's say that you have fiveemails, only one of them had a
modern attachment, and the otherones did not.
So in the output, you wouldhave four emails as just emails,
and then one of them would comewith the modern attachments,
(27:01):
essentially making it ready toingest right away.
Before they were in twoseparate places, and it took a
little bit extra preparationstep for people to reorganize
them and get them ready to throwinto some review or rediscovery
tool.
So we made that a little biteasier, mostly for small to
medium-sized firms.
I would say our large serviceproviders have internal
processes that already do thisautomatically, so I don't think
(27:24):
they needed that.
But smaller service providersor law firms or small companies
that do this kind of stuffinternally, they don't have the
resources to build a processaround it, usual.
So we're trying to help themget there pretty much in a
plug-and-play fashion.
So those are the maindifferences.
I would say the most remarkablething is probably the OneDrive
(27:44):
attachments, which is somethingthat a lot of people have been
creating for.
So that's new, and we'll seewhere we'll take it from there.
Kelly Twigger (27:53):
And those are all that's all functionality that's
in the forensic email collectortool, right?
You've been continuing todevelop that as technology has
changed with Google andMicrosoft.
Arman Gungor (28:02):
That's right.
The first part that Imentioned, Google Walt has
support, that's definitely theirown thing.
But outside of that, yeah, allthe staging packaging and
OneDrive attachments are all inforensic email collector.
Kelly Twigger (28:12):
And essentially what you just described in terms
of the stag, the puttingeverything together in a package
that I can then load into areview platform, will that show
up the same way that physicalattachments used to in a
parent-child relationship withmetadata that supports it?
Arman Gungor (28:28):
That depends on how the review tool handles it,
because it's not exactly anemail anymore.
That's probably somethingthat's worth clarifying too,
because a lot of people havethis question.
And the question when youcollect modern attachments, how
do you output that?
Do you uh insert them into theoriginal email or do you keep
them outside?
And I think that's an importantconsideration.
(28:50):
And the answer to that is we donot put them in the original
email.
And we have a few reasons forthat.
One of them is that once youopen up that original email and
insert modern attachments intoit, then you make very
substantive changes to theemail.
All the metadata changes, myboundaries change, the digital
signatures don't verify anymore.
So you just create a whole newemail, is which is not
(29:10):
desirable.
The second thing is when youconsider the context of
information exchange andproductions, if this is not
clearly communicated, it couldbe a misunderstanding.
Because if I received an emaillike that with a bunch of modern
attachments, I might be misledinto thinking that that's how
that email originated, but it'snot really case, it's a
constructed email that's piecedtogether from different sources.
(29:33):
So that's another potentialsource of confusion.
But probably the mostcompelling reason is that cloud
attachments can be very numerousand very large.
Let's say that an individualshared not a Google Drive file,
but a Google Drive folder inemail, and the folder contained
10,000 items totaling twoterabytes in size.
If I took that 10,000 items andtwo terabytes and shoehorned it
(29:55):
into that one email, they'regonna all have all sorts of
processing problems on the Asyou throw that into your review
tool or do anything with it,really.
So it's really almostunfeasible to do that.
So we chose a different path.
So instead of modifying theemail and putting them in there,
we create essentially zippackages where in the zip
there's the original email.
(30:15):
Like I said before, there's theconventional attachments that
are already in that email.
And then the cloud attachmentsand revisions are also in the
same zip container.
So if you have a review toolthat automatically treats zip
containers as a family, thenthat would be pretty much a
no-brainer.
You'll be good to go.
If you have any discovery toolthat treats zip containers as
(30:37):
folders and doesn't really careabout the parent-child
relationship in there, then youmight have to do some extra work
there.
So that depends entirely on thesolution.
I know that a lot of our userswork with the mainstream
e-discovery hosting providers,the big names, and they all have
found ways to do that in anautomated way to link that to
(30:58):
have that parent-childrelationship.
So I think for the most part,it's an unissue now.
Maybe in the initially it mighthave been a bit of a challenge
because it was new.
But I think probably hostingproviders have already
encountered this enough that nowthey know what to do with it.
Kelly Twigger (31:13):
So yes, if you have your own litigation support
team, and yes, if they'veworked with these issues and
come up with solutions for them.
But let's say that representsabout 5% of the population of
litigators, right?
That the other 95% are going,okay, I don't know what the
questions are that I need to askhere.
And so let's clarify from ajust a high level as a
(31:35):
litigator.
If I'm talking to you as myhead of litigation support or my
person who's responsible forgoing and doing the collections,
what are the questions or whatare the things that I need to
tell you so that you do thecollection in a way I want it
done?
And the flip of that is what doI need to negotiate with the
(31:58):
other side to be able to get towhat I call hyperlinked files
and you're calling modernattachments?
Arman Gungor (32:05):
Yeah, I think like the general description of you
know what you need on the outputside is important.
That's gonna come down to therest of your processing stack
for the most part.
I think it's gonna come down toyou know what type of
structures your YouTuberecognizes as an attachment
family.
Kelly Twigger (32:21):
So the That's tech that's complicated, that's
litigation support, peoplehosting data, strict litigators.
What are the things I need tosay?
So it seems to me I want theemail, I want to know which
version I want, whether I wantthe contemporaneous version or
whether I'm willing to take themost recent version or the
(32:43):
version that exists at the timeof collection.
What are the other things thatI want besides version?
Do I want metadata?
Arman Gungor (32:50):
Yeah, some sort of thing.
Another important thing is youwant to define or decide on how
you handle folders, becausethere's a distinction between an
individual file modernattachment and email, and then
there's a different scenariowhen there's a folder.
What do you do then?
Do you ignore that folder, ordo you want your tool or process
to actually dig into thatfolder and extract everything
(33:12):
that's in there?
Do you want that to do itrecursively if there are any
subfolders that are in there?
So that's an importantdistinction because, like I
said, like somebody could sharethe root of their shared Google
Drive for the whole team, andthat could be really large.
Kelly Twigger (33:25):
So that's another that then so what I'm trying to
articulate for listeners is doI need my team to look at the
data first and understand whatthe issues are that I need to
provide guidance on?
And if this is the other side,how am I gonna ask them?
(33:47):
Am I gonna say, hey, look,guys, I want you to go in here.
I want to know, here's what Iwant to do on versions.
If there are folders at issue,I want you to identify those,
and then I want us to meet andconfer about those specific
issues.
Is that a good approach?
Arman Gungor (34:03):
Yeah, I think in the initial meet and confer, the
two things that I would try todecide on is are modern
attachments part of this?
And if so, are we interested inthe current versions of these
modern attachments or thecontemporaneous versions like at
the time that the email wassent?
So that's the initial decisionto make.
Once we have that, internallyyou might have to do a
(34:23):
multi-step process where you dolike an initial assessment to
see maybe the volume of cloudattachments you have.
Are there any folders therethat have been shared and how
much stuff there is potentiallyin those folders?
And are revisions-wise, youknow, are there any specific
revisions that are reallyrelevant that should be
produced?
So there internally, you mighthave to do like multiple takes,
(34:44):
and then there might be anothermeeting confirmed to confer to
reiterate some of those pointsor discuss further.
But initially, definitely youwant to discuss modern
attachments and the versionissue.
Kelly Twigger (34:56):
If I'm working with a corporate client and I
have access to their Microsoftemail, how can I go into the
email in appropriate custodians'mailboxes?
And I'm limiting that knowingfull well that we're moving away
from custodial discovery.
But let's say I'm going intospecific custodians' mailboxes,
(35:18):
how can I determine which emailsor how many emails have an
attachment, have a hyperlink tofile associated with them?
Arman Gungor (35:24):
Yeah, that's that's a good question.
So there's a way to access yourcustodian of choice or all of
them using Microsoft'sauthentication mechanism.
So authentication-wise, that'seasy.
But in terms of metadata andhow to quickly determine which
ones have cloud attachments,that's something that I do not
(35:45):
recall seeing as a search termin Microsoft's tooling.
Like uh Google has this, forexample, where you could run a
search and identify which emailshave cloud attachments.
I don't recall off the cuff ifMicrosoft had that, I believe
not.
If they don't, then you mighthave to do some type of initial
metadata only acquisition toessentially get some information
(36:05):
about those emails and then gofrom there.
Kelly Twigger (36:07):
But yeah, I don't think what metadata fields
would tell you that there's ahyperlinked file included in the
text.
Arman Gungor (36:15):
Yeah, I don't actually in in addition to
metadata, I think to be on thesafe side, you might even have
to get the body of the messagebecause there's gonna be the
hyperlinks that are in the body.
Kelly Twigger (36:24):
So very so very difficult, if not impossible,
then to determine how manymessages you might have in an
email collection that havehyperlink files in Microsoft's
email.
Arman Gungor (36:34):
Off the top of my head, I didn't have a good
solution for that, but I I willdo some research into that to
see if Microsoft has a mechanismto search for that.
Kelly Twigger (36:42):
I think what we're trying to do here is
identify what the issues are,right?
And that's what comes to whatyou and I discussed previously,
which is the proportionalityconsiderations, right?
What are a party's obligationswith regard to hyperlinked files
when the email service thatthey use doesn't allow you to
filter by which documentscontain hyperlinked files, so
(37:05):
you even have a sense as to howmany are there.
And then to be able tonegotiate from there is very
difficult.
So it does feel to me, based onthe technology as it exists
right now, that in dealing withMicrosoft email, that a number
of the types of processes thatparties have undertaken in case
(37:26):
law is to do a samplingapproach, right?
I will provide you the email,you identify of the documents
containing hyperlinks, whichfiles you want, you come back to
me.
At that point, you might evenbe looking at which version you
want of those files.
And then those files areprovided.
And many parties, there aremany examples in the case law of
(37:48):
parties doing that samplingapproach, right?
We'll come to you with X numberof requests a week.
You get two weeks to respond tothat, you give us those files,
then we can give you X number ofrequests.
Usually it's 20 to 50 every twoweeks or so.
I think the most recent exampleof that is the NRA Uber case.
So do you know, Arman, ifMicrosoft or Google are going to
(38:11):
continue to make additionalupdates to their technology to
help resolve this problem from adiscovery perspective?
unknown (38:17):
I don't know.
Arman Gungor (38:18):
First hand knowledge, but I can only
imagine that they will, becausethis is an emerging issue.
And from what they've done inthe recent past, I think it's
safe to say that they'reexpected to keep moving in the
same direction.
But yeah, I mean what you'resaying is true, and there are a
lot of challenges.
There are more challenges thanwe covered.
For example, in terms ofidentifying which items have
(38:38):
cloud attachments, Google hassome mechanisms to run some
searches to identify them.
But when you actually validatethose searches, what the
searches return is not alwaysexactly true.
When we do our own assessmentof which items have drive
attachments, we find more thanwhat Google returns.
So it's you can't reallyblindly rely on that.
But it could be a good startingpoint to like get the ball
(39:00):
rolling and have a rough idea ofwhat volume to expect.
The other trouble is this: let's say that you have a bunch (39:04):
undefined
of emails and they have cloudattachments, but there's no
guarantee that you're gettingthose cloud attachments because
when you request them, you mightrun into a few issues.
One of them could be that thatattachment is no longer there.
So what if it was inserted thatwould then subsequently
deleted?
There's still the hyperlink,but the file is gone.
(39:24):
The second thing is you may nothave the permission to access
the file or download the fileany longer.
Perhaps you had it and youdon't you lost it later, or
perhaps you never had it andsomebody sent you an attachment
that you didn't have accesspermissions to download.
So there's definitely quite afew moving parts and challenges.
But that's not to say that youknow, well, this should not be
(39:47):
part of e-discovery.
I think it's just good forpeople to be roughly aware of
you know what type of challengesthey might face when they go
down this path and have somepotential solutions and
workarounds for them ready, orat least know that you know
these will need some discussionwith opposing.
Kelly Twigger (40:04):
Yeah, you and you touched on a big important
point, and that is essentiallypossession, custody, or control
as it relates to the files thatare at a hyperlink in a
communication that is otherwiserelevant.
So if I have an email, like theemail exchange we were talking
about before, where I sharethose notes with you who go on
(40:26):
your merry way, I remove youraccess to those notes.
Someone collects your email andthe link that exists is there,
but you no longer have access tothat file.
And so the question becomeslegally, are you obligated to
provide it?
And the answer is if you nolonger have access to it, then
it is not in your possessioncustody or control.
(40:48):
So we've got this nowoverlaying argument or challenge
on top of providing hyperlinkedfiles.
And I think so.
There's the possession custodyor control argument, which is an
issue.
And there's also anotherargument that Doug Austin raises
regularly when we talk abouthyperlinked files, and that is
(41:10):
that preservation of hyperlinkedfiles is very difficult because
of the way that these systemsare set up.
And if you're put on legalhold, but you no longer have
access to that document that Ijust mentioned, and I'm not on
legal hold, then that documentmay never get collected or it
(41:31):
may not get preserved.
And say the document rolls offbased on a retention policy that
otherwise it should have beenon legal hold.
Is there a way that we're goingto be able to can we deal with
that right now?
That preservation issue?
Arman Gungor (41:45):
Yeah, that's that's tough.
And what you mentioned earlieris very true.
And that has actually twocomponents to the control and
ownership and access issue.
There's also the issue of let'ssay I have my mailbox and I
have some Google Drive hyperlinkfiles in there, and a number of
them are mine from my GoogleDrive, but a number of them are
from the outside, people thathave sent me files.
So they're not my Google Drivefiles, I just have access to
(42:07):
them.
So if I have access to them, wecall these shared with me
files.
And both providers, bothMicrosoft and Google, have this
concept.
So are you obligated to alsoproduce these shared with me
files?
If you if you don't have accessto them, then you can say it's
not feasible.
But to the extent that you areable to access them, do you
include them in your production?
That's another challenge.
And then there's that issue oflegal holes, and that was a
(42:30):
potential problem there as well,because Google Drive and the
email data are two separatethings.
You might run into problemswhere maybe the email is held
for retention, but thecorresponding drive files are
not.
So you have a situation where,yeah, you have retained the
emails, but the linked drivefiles are gone, and you can't
really perform a full GoogleDrive hyperlinked export and
(42:54):
production anymore.
So that's another thing thatneeds to be set up.
Kelly Twigger (42:57):
Yeah, that's a huge problem because now for
preservation, we can't just puta legal hold on email boxes the
way that we used to.
Now we have to put a hold onSharePoint sites, Google Drive,
wherever the documents that willbe linked to the communications
might live.
Arman Gungor (43:13):
That's something that the providers will have to
solve.
So for Google, for example,when they allow you to prepare a
hold on a mailbox, then thereshould be an option that says,
do you also want to hold anyhyperlink Google Drive files?
And if so, they should be partof that hold automatically.
Otherwise, it would be reallydifficult for the end users to
handle that because the onlything you could do is hold the
(43:35):
entire Google Drive.
And that's even in some casesperhaps not feasible because of
the fact that some of thosemight become from the outside.
So you have access to them, butthey're not yours to hold.
So there's some retentionchallenges there as well.
Kelly Twigger (43:49):
But yeah, yeah, there are there are legal
questions.
There are significant legalquestions.
And I think we I just did apodcast last month with Judge
Rodriguez from the districtcourt in Texas, and we talked
specifically about thepossession custody or control
issue and whether or not the thetests that we currently use for
possession custody or controlreally hold up under the
(44:10):
technological advancements thatwe've seen in the last decade or
so because it's just thelandscape has changed so
substantially, and the use ofmobile devices to communicate
has just it's really muddied thewaters of e-discovery.
We got very comfortable dealingwith email and attachments and
how we've just blown it up andstarted all over.
I there's a couple of thingsthat else I wanted to ask you
(44:33):
about.
One is you you mentioned to methat there's a second tool that
you've built at Metaspike calledForensic Email Intelligence or
FEI.
Can you tell us a little bitabout what that tool is, what it
does?
Arman Gungor (44:44):
Yeah, so it's an investigation tool that
essentially kind of takes itfrom where forensic email
collector leaves off and startswith already locally available
emails.
So not a collection tool, butworking with email files, MSG
files, PSTs, OSTs, that kind ofexisting email data.
And then allows for emailinvestigations.
The main use case there is ifyou have a case and there's, for
(45:06):
example, email fraud, somebodybackdated an email, there's
maybe business email compromise,a phishing email has been sent,
a wire transfer has been madeto a wrong party because of a
man-in-the-middle attack orsomething like that.
Which is quite common thesedays.
So it is a tool that's designedto kind of deep dive into email
and break it into itscomponents and look at what we
(45:26):
call tool marks.
So you know, when an emailclient touches an email, it
usually leave some marks interms of hidden timestamps and
different headers and things ofthat nature.
So kind of interpret that data,correlate them, and then score
the emails across the board sothat you can load up, for
example, millions of emails andthen have the tool automatically
score them.
(45:47):
So in a large case, you have astarting point of which emails
do I look at first if you knowif I don't know where to start.
That's a problem I personallyhad.
I would be score them by what?
Score them based on howegregious their problems are in
terms of the internalinconsistencies in the email.
Kelly Twigger (46:04):
Oh, okay.
Arman Gungor (46:05):
So for example, the email has some digital
signatures, but they don'tverify, so that's a problem.
Or the email has someattachments, but the date of the
attachment is after the date ofthe email.
That's another problem.
Or the email has some hiddentimestamps in its message
identifiers and things of thatnature, and they don't match up
with the email's apparent date.
Kelly Twigger (46:22):
So all those different data points has a
scoring system for each one ofthose problems, and the more
problems you have, the higheryour score is, and so those get
elevated to the top to look at.
Arman Gungor (46:32):
Exactly.
Yeah, because I would, youknow, I've received some cases
in the past where I would beasked to look at a specific
single email, and when I havethat, it's easy because I know
what to do, and it'll take memaybe a few hours to get through
all the details of the email,but I can solve that no issue.
But when somebody gives me,okay, we've been receiving these
email productions, and here's200,000 emails, and we know this
(46:53):
person is a fraudster, sothere's a bunch of fraudulent
emails here, but we don't knowwhich ones, so figure this out.
That becomes a whole differentproblem because then I don't
have a starting point, and wheredo I even go?
So this mainly solves thatissue where you can throw them
in and automatically score them.
Kelly Twigger (47:08):
So you just load all 200,000 emails into that
tool, it analyzes them, createsthat scoring system, and then
ranks them for you to startlooking at.
Arman Gungor (47:16):
Yeah, it also analyzes them contextually too,
because there are also someproblems in emails that only
come to the surface when youlook at the whole case.
For example, let's say that uh,you know, one of the metadata
fields in emails is calledmessage ID.
It's one of the traditionalemail headers that everybody is
aware of.
So it's supposed to be uniquefor every instance of every
email.
So if you have a specific emailmessage and you made five
(47:38):
copies of it, then yeah, theywill all have the same message
ID.
That's not a problem.
But if you have multiple emailswith the same message ID but
their contents are different,then that's kind of a problem.
How is it that there aremultiple emails that they say
different things but they havethe same message ID?
And this is based on real casesI worked.
We've saw some cases based onexactly this kind of problem
where somebody would producehundreds of fraudulent emails
(48:01):
and they would make mistakes andthey would reuse the same email
template to produce multiplefraudulent emails, and then you
would catch them by thosesimilarities in their emails.
So we also do that type ofcontextual analysis to see if
there are any patterns in thewhole project rather than just
in the one email.
Kelly Twigger (48:21):
I think that's fascinating, and the reason I
think that's fascinating isbecause one of the things that I
focus on is being able toleverage ESI to tell a story.
And what you've just explained,using FEI with fraudulent
emails is a beautiful way to beable to tell a story, right?
(48:42):
With not a significant amountof cost from a legal perspective
to be able to do thatinvestigation and understand a
story that otherwise with peopleand just looking at data with
my naked eye that I wouldn't beable to tell.
So if someone says to me, thisemail's fraudulent, I don't know
(49:04):
where it came from, we can useyour tool, someone can use your
tool, you could use your tool tolook at it and be able to tell
us what is wrong with it, why weknow that it's fraudulent.
Arman Gungor (49:13):
It's true.
And you know, I would like yourlisteners to take one thing
from this.
You know, email evidence isobviously very prevalent
everywhere, but unfortunately,because it's textual, it's also
very easy to modify.
So when you have key smokingand emails in a case, I would
refrain from taking them withface value by default because a
lot of times they are uhpossibly modified.
(49:35):
I've seen so many cases wherethere was email fraud and so
blatant fraud that you wouldn'tthink somebody would actually do
this and put it in front of ajudge, but they do anyway.
So it pays to at least quicklytry to verify those emails'
authenticity, and it's easy todo in most cases because they
have digital signatures that arevery easy to verify.
If you have a receiver's copyof an email, essentially what
(49:58):
happens is as the email travelsfrom the sender to the
recipient, the servers on theway along the way sign the
message with their private keys.
The technical details of it arenot that important, but the end
result is that at the end youhave an immutable digital
signature that tells you whetherthe email is changed or not
since it's been signed.
(50:19):
So it makes it really easy toverify okay, the email's message
body and the attachments and acertain set of key header fields
may have been changed or couldnot have been changed by anybody
else after it's been sent andreceived.
So that's a very quick check todo, and I think it's incredibly
valuable, incredibly valuableto essentially have like as a
(50:39):
first line of defense, you havea key email, have it checked or
check it yourself, easy to do tosee what that signature says.
If it's bad, then that mightwarrant some further looking
into to make sure you knowyou're not dealing with fake
evidence.
Kelly Twigger (50:54):
One of the things that's that's fascinating, and
I one of the things that comesup for us as litigators on a
regular basis is timing, becauseit may be two days or a day or
five hours before a depositionwhen we're sitting down with an
email and we're looking at itgoing, this doesn't seem right
to me.
This just doesn't, there'ssomething off here, and I don't
(51:18):
I can't do what you can do withyour tools or with your
knowledge.
But when I how long does ittake if I called you and said,
Arman, I need your help lookingat this email?
I'm gonna postpone thisdeposition for a week.
Can you help me take a look atthis?
Tell me what you need.
What is the timing associatedwith that?
Like how quickly can you helpsomeone?
Arman Gungor (51:35):
If you have an email, like an individual email
you're interested, and if youhave it in the right format, to
do a preliminary check like thisand verify digital signatures
is press a button and you getthe results.
That's not really a fullexamination of you know every
little bit in the email, butthat gives you like a
preliminary, very quickassessment.
But the right format isimportant, and that is where
(51:56):
we're going back to you knowhaving the emails collected in
the right format.
And we had this discussionabout, for example, Mbox versus
PST earlier.
It is important to stay in theright and original format of
these emails because all thosedigital digital signatures are
out the window once you convertthe emails.
Kelly Twigger (52:12):
So if you have what is the right original
format of an email?
Arman Gungor (52:16):
Typically, that's going to be a MIME message.
So, similar to, for example,let's say you have a Gmail
account, you go to gmail.com andyou click on your email and you
say download original, it givesyou an email file.
That's the original MIME email.
Same thing with Yahoo! You saydownload raw email message, I
think for Yahoo, and it givesyou the same format.
So that's that's the universalformat called internet message
(52:36):
format, and that's how theemails travel over the internet.
So the digital signatures thatare applied to the emails are
essentially calculated based onthat format.
So once the email is convertedto a different format, like
going from email to PSD, forexample, then the signature is
totally invalid now, so you justlost that ability.
Kelly Twigger (52:56):
So in all this that because you said Microsoft
doesn't store its emails asmimes.
Arman Gungor (53:02):
Yeah, exactly.
So Microsoft breaks it apartwhen you export from Microsoft
though.
Initially they didn't have away to do this, I think, but
they have a way to store whatthey call the MIME skeleton of
the email so that they're ableto rehydrate and give you that
MIME message when you make arequest against their API.
So Microsoft also does supportMIME email collections, but
(53:24):
there are some challenges there.
One of the issues withMicrosoft is that as part of
that intake process, they modifythe email contents.
So when I receive an email as aMicrosoft user, for example,
when my received copy arrives inmy mailbox, I find that the
HTML body of the email isslightly different than what the
original sender had composedbecause of some internal
(53:46):
processes they have, and thatinterferes with the digital
signatures.
To a small extent, that isreversible because we know what
that is.
So if I have a relatively briefemail with not too many bells
and whistles, I can actuallyundo that and still verify the
signature, which I've done inthe past.
But as the emails get morecomplex with a lot of
attachments and lots of body andstuff, then that becomes very
(54:08):
difficult.
And I see that as a majorproblem and as a negative
towards Microsoft's systemsright now.
I hope they they fix that issueso they can give you
unadultered emails in the nearfuture.
But that's only Microsoft rightnow.
I mean, pretty much all theother providers deal with MIME
and they don't really change thecontents of the MIME emails.
(54:30):
So as a general practice, evenif you are accustomed to using
PSD format, which a lot of usare in the eDiscovery, it's the
format to use for informationexchange.
If you deal in PST format, Iwould say also collect MIME
copies of these emails as aninsurance policy because you
never know.
Kelly Twigger (54:48):
And you go back if you've preserved the emails
and they're still existing onthe Microsoft.
I was gonna say server, butobviously it's not a local
server anymore.
If they're still existing inthe Microsoft environment, you
could always go back andrecollect it in a MIME format,
right?
If necessary.
Arman Gungor (55:03):
Well, it might be too late though, then.
But you know, that might besome situations where the email
is no longer available.
Kelly Twigger (55:09):
I would say make it part of the email, preserved
if it's on hold, and you couldgo back and recollect it in the
MIME format if necessary.
Yeah, because I don't thinkthere's a way to do a second
pass if you might startcollecting something in MIME, as
opposed to in their PSTs, theway that the because that's a
standard export from Microsoft.
Arman Gungor (55:28):
The problem that I've seen is this usually case
timelines are pretty long, asyou know.
So when the project starts,when there's a dispute, there's
an initial preservation, and bythe time the case is adjudicated
and it comes in front of thejudge, and there's maybe some
concerns of authenticity and allthat stuff, several years may
have passed.
So by then by the time you goback and revisit that, you may
(55:52):
have lost context.
And there's another issue whenyou preserve the emails, you
we're not only interested inwhat's in the emails, but
there's additional informationabout the emails, which we call
server metadata, essentiallycontextually information about
the emails that are not in theemail itself.
And to give you some simpleexamples, for example,
identifiers of these emails areusually sequential.
So you might have some sequenceinformation from the email
(56:14):
folder, right there, as in youknow it's emails 5678, for
example.
But if you look at email numbersix, its date is completely out
of sequence, so there's a bitof a discrepancy there in terms
of the sequence of these emails.
So there's a lot of clues therethat lie in the server
metadata.
And by the time you come backand revisit that case in two
years and try to dig into that,it might very well be too late.
(56:37):
So all the preservation stuff,I would highly recommend to take
care of in that initial phaseof preservation and not leave it
for like, okay, if there's adispute, we'll deal with it
later and in the future.
Kelly Twigger (56:49):
No, I completely hear you.
And that's the second or thirdtime that something that you
said has prompted me back toanother theme of mine, which is
you need to be doing this veryearly.
You need to be engaged with allof these data-related issues
very early on in the case, thatwaiting, as we often do as
(57:10):
litigators, until you get totrial to try and address some of
these issues, you're going toend up in a world of hurt
because the way electronicinformation can go away,
regardless of your bestintentions, to be able to keep
it in place.
And so that can be a tremendousproblem.
So I think that early planning,that early engaging with the
information, the early focus ontelling your story and what you
(57:33):
need to be able to tell yourstory is so critical in terms of
understanding but addressingall of these technological
challenges that come withgetting the information.
And one of the things that Italk about a lot is that we
really have two separateobligations in discovery.
One is to find the informationto allow us to tell our client's
(57:57):
story.
And that's perhaps your primarygoal.
But the second is to meet yourobligations to provide
information and discovery underthe rules.
And oftentimes we get toofocused on meeting our
obligations to provide discoveryand not on telling the story.
So I think what your thisentire conversation has really
emphasized for me is that you'vegot to focus at the outset
(58:22):
about what is the evidencethat's going to allow you to
tell the story and how are yougoing to get that in front of a
court.
And you got to try to addressthose technological issues
early.
Otherwise, you could end up,like you said, with not being
able to have either the form orthe information at all to be
able to recreate that story.
Arman Gungor (58:43):
It's true.
And I think you can go even alittle bit further back because
if you are, for example, generalcounsel for a corporation, or
you are essentially thecorporation that's planning to
have some type of litigation inthe future, like possibilities.
I think, like, you know, whenyou're setting up your IT
systems, you're essentiallyabout to settle into a workflow,
(59:04):
and that might involvecollaboration tools, it might
involve cloud storage tools.
I think before you really getstarted fully, it pays to kind
of evaluate your stance in termsof e-discovery readiness.
Because, you know, let's sayyou're going to use Provider X
and they support modernattachments and they support a
collaboration tool.
It's really cool.
But from day one, I would sitdown and say, okay, what would
(59:27):
happen if we got into litigationtoday and if we were asked to
produce all this stuff?
What are the steps that we needto take?
So to do like a dry run,basically, and figure out
exactly what would have tohappen for you to be able to
pull that off before you usesomething like confidential mode
in Google or the end to endencryption in Google, for
example, that's relatively new.
Is it really feasible to havethose features and at the same
(59:50):
time be reasonably ready forlitigation?
If it's not, then you mighthave to restrategize before you
really settle into thatworkflow.
Because otherwise, by the timeseveral years.
Pass and you have accumulatedterabytes of data and you know
thousands of modern attachmentsand encrypted files, you might
find yourself in a deadlockwhere you're ordered to do one
thing, but the reality is youjust can't do it.
Kelly Twigger (01:00:14):
Yeah, that's spot on.
I think knowing what yourcapabilities are before you even
get into litigation, but at thevery least, identifying them as
soon as your duty to preserveattaches or you reasonably
anticipate litigation is socritical because otherwise we
find ourselves agreeing to allkinds of things that we then
(01:00:35):
can't meet.
And we get in these huge longnegotiations about what we're
able to provide, whether it'shyperlink files or anything
else.
So this has been a fant afascinating conversation, Armin.
I'm so appreciative.
Thanks so much for joining uson the Meet and Confer podcast.
Can you, before we go, telleveryone whether if they don't
have FEC or FEI and want to haveaccess to those tools and
(01:00:57):
training, how they can getaccess to those?
Arman Gungor (01:01:00):
Yeah, sure.
Our website is Munaspike.com.
Our software and pricing andeverything is there.
So we work with online orders,so you can go pick up a license
there if you like.
We usually have live virtuallive training every six months
or so.
We have actually a forensicemail collector training coming
up in five days.
So in those trainings, weessentially try to cover it soup
(01:01:20):
to nuts from modern attachmentsto in-place searches, exports,
all kinds of details.
So it's helpful to kind of wrapyour head around what the
possibilities are and getinvolved in using the tool
fully.
We have another training that'son forensic email
investigations that's actually arandom neutral training.
It's not based on our own tool,but it's just a general email
(01:01:43):
investigation training programwhere we take you through my
messages, kind of similar to thethings we discussed.
What are the email headers?
What are digital signatures?
What are some marks of fraudand manipulation of emails?
What are the possibilities thatproviders offer for capturing
server metadata, evaluatingthose practice labs and stuff
like that?
So all that isMetaspike.com.
(01:02:04):
A lot of you might have me ontheir LinkedIn so you can reach
out to me there if you like, andwe'll go from there.
Kelly Twigger (01:02:11):
Fantastic.
All right.
Thanks so much, Arman.
We'll have to follow up againas the technology continues to
change and our capabilitiescontinue to change, specifically
as it relates to hyperlinkfiles.
But I'm so grateful for youbeing here today.
Thanks so much for joining usand imparting all your wisdom.
Arman Gungor (01:02:26):
Thanks for having me.
Thank you.
Kelly Twigger (01:02:31):
That's it for today's episode of the Meet and
Confer podcast.
Thanks for joining me, and ahuge thank you to Arman Gungor
for sharing his expertise onhyperlinked files, modern
attachments, and the constantlymoving target of cloud-based
email and document workflows.
It gets complex in thee-discovery workspace, and we're
incredibly grateful to folkslike Arman who are spending
(01:02:51):
their time figuring outsolutions for us to be able to
find the evidence we need totell a story with ESI.
If this conversation has yourethinking how you're handling
discovery or realizing how manyassumptions you're making about
hyperlinked files, versions, andaccess, that's exactly why I
built Minerva 26.
It's a discovery strategyplatform that helps litigators
(01:03:14):
create and validate theirdiscovery strategy by connecting
case law rules and real-worldworkflows, such as how to
identify and handle hyperlinkedfiles, so that you can make
faster, more defensibledecisions that shape your
emotions, protect yourcredibility, control costs for
your client, and let you get theinformation you need to tell
(01:03:36):
your client's story and win.
To see how Minerva26 can becomethe strategy hub for your
discovery decisions, head toMinerva26.com and schedule a
strategy session or request ademo.
Until next time, rememberDiscovery isn't just a box to
check, it is your litigationstrategy.
Leverage ESI to win.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Bobby Bones Show
Listen to 'The Bobby Bones Show' by downloading the daily full replay.