Traditionally, the collection phase of electronic discovery has been handled by experts on site in order to make a forensic copy of potentially relevant data. But with travel costs, a decreasing number of employees resident in main offices, and a continued focus on hitting deadlines, legal teams are leveraging “remote collections” to reduce cost and increase project velocity.
Remote collection is a method of collecting data where the forensic expert charged with handling the collection is not physically located at the data source. There are typically three approaches for executing a remote collection:
1. A remote collection kit, including a pre-encrypted hard drive, is shipped to the custodian (or the IT department, depending on what makes sense for the project and client environment and legal collection requirements), and at an appointed time, the custodian inserts the media into the computer and grants the expert remote access via a service such as Webex or LogMeIn. The process provides the expert with direct access to the target computer, to ensure the collection is done properly. This process is typically the most effective, although there are logistical and scheduling considerations the legal team should keep in mind.
2. The remote collection kit is shipped as in the scenario above, and the custodian or IT contact follows a set of instructions to initiate the collection. Once the process is initiated, the hard drive takes over and conducts an automated collection, taking a forensics image of every device connected to the computer. This process removes the need to manage logistics and scheduling between the custodian and forensics expert, and minimizes the amount of chargeable time needed for the collection. However, in this approach, the forensic expert is not on hand to ensure the process is carried out accurately or that it has captured all of the necessary data (e.g. an external hard drive next to the custodian’s computer).
3. The legal team leverages existing in-house tools to remotely collect from the network. There are a variety of software packages available for in-house remote collections. Corporations using this approach must ensure that the individual conducting the collection has basic knowledge of how to carry out a complete forensic imaging. Companies usually need to purchase and deploy these tools in advance, and they typically require an internal resource to use or support the tool.
A recent matter in a remote part of Africa illustrates the value of remote collection, and the cost savings that can be provided when it is done right. In this case, the collection required access to six computers in an office in Africa. The amount of time it would have taken for the forensic expert to travel to the site would have far exceeded the time spent actually conducting the collection. The company had an IT person on site, so the forensics team shipped the collection kit, and instructed him on how to initiate the process. While a similar case in a more easily accessible location may have justified an on-site collection, this particular matter done remotely provided the company with significant time and cost savings. The company was able to avoid the long delays of travel to and from the site, and excessive travel costs that would have resulted from sending a forensic expert to Africa.
Why remote collection
While cost is a key factor for the increase in remote collection deployments, there are a number of other advantages to remote collection. These include:
- Disparate teams: With key employees less frequently working at main offices — and more frequently traveling even if they do — the logistics necessary to support a fully live collection process can be daunting. A remote process can be much better for home-based employees and collections can even take place from a hotel room while an employee is on the road.
- Rapid deployment: When necessary, experts can start collecting the very next day (and sometimes even the same day if the collection can be moved over the Internet). This can be crucial in situations with tight deadlines or if there is a concern about custodians and potential spoliation of data.
- Reduced cycle time: While the clock time for a single custodian is often the same three days — one for outbound travel or shipping, one for the collection and one for return travel or shipping — a remote process allows for many collections over the same three day period. Any number of remote collection kits can be shipped overnight to custodians and shipped back once the collections are complete. With the right hardware, experts can even manage multiple collections simultaneously as once a collection is set up, there is a lag time while data copies, providing time for additional set-ups.
- Less travel-related hassle: Often forgotten is the hassle and time it takes to buy plane tickets, arrange hotels, and manage visas and passports. A remote process requires none of that.
- Business continuity: A remote process does not require users to give up possession of their devices or cause other disruptions; downtime is typically limited to each custodian spending a few hours without his or her device.
While remote collections can often reduce project cost and help teams meet deadlines, they are not a panacea and there are instances where the practice does not make sense. For example, the legal team may feel a need to keep the custodian (or the IT team) completely out of the process, either because of a concern that the custodian cannot be forewarned about an upcoming collection or because the team does not want the custodian to know what has been collected. And logistically, if there are a large number of collections to be done at the same location, especially if each is small, it may be more efficient and cost effective to send collection experts onsite.
Whatever collection method is chosen, it is important to remember that collection may be considered an inconvenience by custodians, time-consuming by IT and intrusive (and perhaps against policy) by the cybersecurity team. It is important to communicate properly and collaborate across legal, IT and any other concerned departments in order to mitigate these issues. Part two of this article will discuss common pitfalls and some use cases where remote collection can be the most appropriate.