Thank you for sharing!

Your article was successfully shared with the contacts you provided.
With the rapid growth of electronic discovery, even well-informed lawyers and support teams are often unclear about the differences between computer forensics and electronic discovery. The differing processes of collecting and reviewing electronic data involve varying levels of technological sophistication and data interpretation, and the choices you make about which services to use depend on the matter at hand. While electronic discovery is needed vastly more often than computer forensics, legal teams may use one or both services in particular matters. The following article provides you the practical working knowledge you’ll need to determine which discovery approach is best suited for your needs. WHAT ARE ELECTRONIC DISCOVERY AND COMPUTER FORENSICS? Electronic discovery is best described as the collection, preparation, review and production of electronic documents from large numbers of hard drives and other storage media. Electronic discovery firms may be called to testify regarding chain of custody of particular collections. Computer forensics is the use of an expert to preserve, analyze and produce data from a single hard drive. It’s sometimes referred to as the “autopsy of a computer hard drive,” using specialized software, tools and analysts who often provide expert witness services. So what’s the real differentiator between the two services? The main differences relate to the volume of information involved, who touches what type of data, and whether expert reconstruction is required. DATA COLLECTION A key differentiator between electronic discovery and forensics appears in the data collection process. Standard electronic discovery deals with “live data,” also known as “active data.” Live data includes those files on a computer that are readily available and can be accessed without having to use a file restoration process. Forensics goes beyond that, and involves locating files on a hard drive that have been deleted or damaged, including file fragments that are located in unallocated disk space. Although data collection for electronic discovery is sometimes done using forensics software tools, use of those tools doesn’t necessarily equate to forensics-type services. True forensic data capture is achieved by making a bit-by-bit image copy of the media in question, usually a hard drive. This “forensics image” means that the entire hard drive has been copied, including data that is live, deleted, damaged, encrypted, etc. This collection process is sometimes called making a “mirror image” or “ghost” of the hard drive. When an IT person says they’re “ghosting a drive,” however, they’re generally only copying live files and associated metadata. Unless special software switches are used, a “ghost” can be misinterpreted as being a “mirror image.” While these terms are not generally used by forensics providers, they have become more commonly used by legal and information technology professionals. The equipment used for data capture may also vary between electronic discovery and forensics. Forensics technicians generally use their own specially calibrated collection equipment to capture files. The technician would likely remove the hard drive from a subject’s laptop computer, and hook it up to the forensics computer so no changes could happen on the subject’s hard drive. It’s important to note that just booting up a system will change content on the subject hard drive; hence it’s important to keep the environment as controlled as possible. For electronic discovery, the integrity of the data is of paramount concern and strict collection guidelines are also followed, but the collection can be accomplished using client machines. WHEN TO KEEP DATA ON ICE When does it make sense to do a forensics image of a hard drive? It depends on the type of case you’re managing. It’s often appropriate in criminal matters and quasi-regulatory criminal matters (such as voluntary compliance to SEC requests). It’s also frequently done in employment matters where there is the possibility of theft or destruction of intellectual property, abuse of company policies or when an employee leaves under contentious circumstances. Creating a forensic image of a drive ensures that the company has all of the computer user’s data. It provides visibility into all communications generated on the computer in question, as well as file copying, deletion or other unusual activity. DATA REVIEW AND INTERPRETATION Data analysis is another key point of differentiation between electronic discovery and forensics. While electronic discovery vendors do sophisticated data collection of live data, they generally do not analyze the data, interpret computer user intent or provide legal advice to their clients. Rather, electronic discovery providers aggregate the data into a unified database and provide tools to enable a client’s legal team to do its own data review. Forensics investigators work with legal teams to review the files, and assist the legal team in building its case. They can identify passwords, network log-ins, Internet activity and e-mail message fragments. During forensic analysis, the analyst will search intact files, file fragments, and deleted files, with the intent of resurrecting those partial files. The forensic analyst will also work with the attorneys to identify keywords, and then search the entire data set for those keywords. The forensics investigator often serves as a qualified expert witness, and provides opinions about the intent and actions of the data custodian in question. An interesting aspect of forensics is that it can reveal how a machine was physically configured, such as whether it was hooked up to multiple networks, or if peripheral devices were temporarily connected to the machine on specific dates. This helps the forensics expert assesses the user’s intent, determining whether the user’s drive shows “normal” file activity, or if there an unusual scrubbing of the hard drive. It can also identify recent use of an external drives, such as CD burners. FORENSICS EXPERTS ON THE STAND If you determine that forensic data interpretation is right for your case, you’ll want to carefully evaluate the people you engage as senior forensics experts. Any forensics expert you use must be disclosed and is subject to being called for deposition or to take the stand in court. Many of the most qualified forensics experts come from law enforcement backgrounds such as police, FBI or the military. You may also utilize senior programmers or information technology systems personnel to testify in regard to data and computer usage. When you bring forensics evidence forward, it’s not admitted the same way that electronic discovery live data is. The forensics analyst gives expert testimony regarding how the data was constructed. You’ll want to keep in mind that talking shop with your forensics team can have some unexpected and unpleasant implications. You’ll want to isolate the testimonial liability of your forensics expert to just the drive he or she is analyzing. You don’t want to unnecessarily expose the expert to information regarding the data universe, the overall collection strategy, the case review strategy, merits of the case, and especially not the decision-making process behind which drives were selected to be imaged. HOW ELECTRONIC DISCOVERY AND COMPUTER FORENSICS WORK TOGETHER Understanding what your client wants to accomplish will determine whether an electronic discovery vendor or forensics vendor is initially selected. Time and money are often drivers in the selection of which services to use. It takes more time to do a forensic image of a hard drive than to do live data collection, and specialized data review by a forensics investigator can be a laborious process. The primary driver for whether forensics-grade collection is done is whether it’s important to collect deleted files. If the answer is “yes,” then you’d go down a forensics path. If the answer is “no,” then you’d use an electronic discovery vendor to gather those live files. If your client becomes involved in a criminal lawsuit, or a matter that involves a large sum of money, the opposition may demand forensic data. Clients that have been sanctioned by the courts for discovery abuse or spoliation are also likely candidates for forensic preservation. Occasionally a client will need both forensics investigation as well as the capability to use electronic discovery for broader team visibility into the data. Electronic discovery aggregates and outputs all files to a common file format such as TIFF or HTML to prepare the data for review. Electronic discovery review options vary from software-based installations to Web-based data review tools that enable an entire legal team to review the data set. When both services are needed, your electronic discovery vendor would work with a dedicated forensics company to manage and share the data. SELECTING COMBINED SERVICES Many companies offer both electronic discovery and forensics services, with varying levels of experience and expertise. It can be difficult to determine which vendors will provide the service levels you need. A common and sound practice is for electronic discovery vendors and forensics vendors to partner with each other, co-managing aspects of a client’s project to deliver the services required. As you’re evaluating service providers, be certain to do sufficient research on their capabilities and history, and check client references. Do the vendors have deep experience in either electronic discovery or forensics, or did they start in a different aspect of the supply chain, such as scanning and coding? Every step in the discovery process is subject to question once in court, so selecting a less experienced vendor exposes your client to all the weaknesses of that vendor. You’ll want to be confident that that every step in the data custody and review chain is as bullet proof as possible. Mary Mack is an attorney with more than 22 years experience in the legal industry. As the Director of Sales Engineering, she helps Fios’ customers define the scope of potential projects so they can effectively and easily implement their electronic discovery projects. Formerly a director with Data Recovery Services, Mack is certified in forensics tools. Information about Fios can be found at www.fiosinc.com. To purchase a subscription to the “Legal Tech Newsletter,” click here.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.