Electronic discovery is hard enough considering all of the sources of electronically stored information (ESI) that have to be preserved, collected, searched, analyzed and more. Many lawyers know that ESI can be found on email and file servers, laptops, backup tapes, mobile devices, removable storage media, database systems and much more. Moreover, the electronic discovery process must be performed in a manner that is forensically sound in consideration of the evidentiary integrity of the ESI. But if you think electronic discovery is tough in the ordinary course, just wait until you have to perform it in the context of a cybersecurity breach. Given the many high profile data breach incidents increasingly making headlines, as well as the potential liability associated with such incidents, counsel unfamiliar with electronic discovery in such cases may wish to consider delving into the subject.

The sources of ESI involved in a cyber-breach can be astoundingly varied and complex. Additional complications arise from the fact that applying forensically sound techniques to investigate the relevant sources of ESI without disturbing the data can be next to or actually impossible. However, for anyone involved in a cyber-breach case, it is critical to have a basic understanding of some of the main sources of ESI.

In many ways, the key to the difference between ordinary electronic discovery and electronic discovery in cyber breach cases is that the latter cases typically deal with network data that was or is in motion. This means that aspects of networks are involved in a way that is not typical of other kinds of electronic discovery cases. Networks, especially when Internet connectivity is involved, can be astoundingly complex, involving an array of devices, protocols, logs and systems that make ordinary e-discovery look like child’s play. Let’s consider some of the hardware and the related ESI that may be involved in a typical hacking case. Such hardware includes, for example, cables, wireless access points, switches, routers, and firewalls:

  • Even the wires connecting various network hardware devices can be a source of forensic evidence. Experts can “tap into” the cables and capture data flowing across the network. There are various types of such taps, even taps that allow capture of data from light signals going across fiber optic cables.
  • ESI can also be obtained from wireless networks. The data transmitted by wireless access points is easily captured if unencrypted or decrypted and can yield important ESI even if encrypted. This includes not only information about where attacks to the network are originating; the data traffic can be analyzed for patterns using statistical and other tools.
  • Switches can act as bridges connecting different network segments. They can serve as a source of memory useful for a variety of investigative purposes, including even potentially tracing the ESI to a specific wall jack. Switches can also be used to facilitate the capture of data using “packet sniffers.”
  • Routers can connect disparate networks. This function means that routers perform a key function in facilitating the global Internet. The tables and logs maintained by routers can be important sources for tracking the movements of hackers, but this potentially precious ESI can be erased if the investigator is not careful.
  • Many users have heard about the importance of using firewalls to protect their personal networks. Firewalls can be thought of as specialized routers that filter data. More sophisticated firewalls are a key part of any business enterprise’s cyber-security strategy. They can keep potentially relevant ESI in the form of logs of data traffic that violates security policy rules implemented by the firewall.

By no means are these the only potential sources of ESI in cyber breach cases, but they are a few of the most basic sources that may be unfamiliar to many lawyers adept at electronic discovery in other contexts. Expert cybersecurity investigators should be able to identify other potential ESI sources, often in the form of logs containing critical clues for tracking hackers through the wilds of cyberspace. Indeed, an introduction to the potential sources of ESI described here may provide a stark reminder of the need for technical forensic expertise in preserving, collecting and analyzing ESI in cyber breach cases.