Computer Forensics Expert Michael Sarlo on Compelling eDiscovery

Michael Sarlo appears on my show discussing how he has brought success to his clients using his expertise in computer forensics and electronic discovery to help his clients compel production of sought after emails on backup tapes.

The transcript of the video follows.

Michael Sarlo (MS) Left & Lee Neubecker (LN) Right

Success Story: Compelling Discovery of Email from Backup Tapes

MS: We like to think that most of the things we do are successful for our clients. We are always trying to come up with better solutions and better ways to allow our clients to visualize data and also to be as consultative and we can, more so in our digital forensics practices and in educating lawyers on the best practices of work flow and around data forensics but also how to leverage the data that we are able to extract from our investigations in the courtroom. I occasionally will function as an expert witness on various issues in the digital forensics world. I recently had a case involving a fortune 25 company working for some plaintiffs where some major issues were uncovered through some deposition questions that HaystackID helped our client develop. They were going to get an IT witness after many years of not getting a solid handhold on the overall landscape of the defendant in this matter. We came in at that point with about 500 questions to ask this IT witness. During the deposition it was discovered that throughout the course of this matter the defendant failed to disclose about a semi-truck of backup tapes. Which is a large amount when you quantify that. It’s crazy.

LN: More than a haystack!

MS: Yes, more than a haystack for sure and a lot of deficiencies in the defendant’s methodologies for data collection, for putting data on legal hold and just for preserving data and then ultimately producing that data in response to several different matters, some for regulators who were investigating the defendant in this matter and then also on the civil side which was the matter that we were involved in. At this point, the other side had brought in an opposing expert witness and often times in these types of matters involving tape data we start to talk a lot about the differences between a backup system and a disaster recovery system. When you’re thinking about backup, it’s more something that comes back very quickly or is more accessible. In certain situations there is a thought or common argument about types of system in place at large corporations that involve tapes are for disaster recovery rather than for backup and therefore restoring them is much more costly and difficult process. Additionally, a second piece of this argument that started to pop up was that these backup tapes are rather old and we are interested in specific custodians and that there is actually is no way for the defendant to identify where the custodians’ data was on these backup tapes and specifically on what exchange servers, nor what type of servers were being backed up. So we took a look at a paper log print out of the tape backup system. It was very obvious, right away, what servers were being backed up and the backup tapes. The company, like many other large corporations, which usually isn’t a good idea, named all of their exchange servers ‘the company name dash EXH01,EXH02,(etc).’ In the hacking world, things are very easy to know where your emails are.

LN: So you’re like… I’ll take THIS tape!

MS: At that point, we had figured out how to say ‘well hey’, you have two semi-trucks of backup tapes, we know the tapes now that contain an exchange server but we weren’t really able to answer the question of who lived where and on what backup tapes.

LN: You could quantify the cost to restore X number of tapes.

MS: Right, so I spoke with our client a little bit more and I asked them, ‘do you have any native emails?’ What I mean by native emails is raw email data that was produced to you by the defendant. They had a handful of emails and there is a lot of metadata in emails. Much more than “To”, “From”, “CC”, “BCC”, and the body text. We’re typically interested from a document review perspective and more just from a fact discovery standpoint. There are many fields and when I took a look at the emails, more in their deep meta, I was able to see the servers internally in the defendant’s network that these emails were bouncing to.

LN: You could identify off the headers what specific exchange servers and what tapes you needed based on the relay header.

MS: Exactly. So we walked into a hearing at this point and we were able to compel the other side to produce all of their emails again in native format. At that point we actually wrote a program that basically pulled out and wrote a data map of the defendant’s infrastructure. We picked five tapes from this; I basically started to function as a discovery master between both parties on behalf of the judge. We picked five tapes that we wanted and at just about that point the matter settled. Nobody wanted us to see what was on those tapes!

LN: That’s how it works!

MS: That was a huge win for us and our clients.

LN: That’s great.

Michael Sarlo is the Vice President of eDiscovery & Computer Forensics at HaystackID.  Michael’s profile can be viewed at

Please share this video with a back link to the transcript!

Facebook Comments

Be the first to comment on "Computer Forensics Expert Michael Sarlo on Compelling eDiscovery"

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.