In supporting litigation I am often asked to assist with a demand for inspection of an opposing party’s computer systems or to defend against unfettered access to computer systems by an adversary. These cases frequently involve a purported theft or destruction of data requiring forensic analysis of the relevant systems. Forensic analysis goes beyond what a document review will uncover.
For instance, if a Microsoft Word document is central to issues in litigation, review of that document may yield relevant content and perhaps useful metadata. The Word document itself will not, however, give you any indication if it had been copied to external media, emailed outside the organization via a personal Web mail account or whether other deleted copies or fragments exist which may help paint a more detailed picture of the provenance of that all-important document. In addition, activity occurring during the timeline of editing versions of the document may provide additional relevant information not normally included in a legal review of electronic documents. System logs and system settings maintained by the operating system are additional sources of evidence not normally included in a document review.
