Throughout the course of day to day operations, companies generate a lot of digital data which can become crucial pieces of evidence in the event of an unwanted incident. Forensic collection is perhaps the most technically rigorous and complex of all eDisclosure phases.
An often neglected area in the litigation process is the efficient and traceable collection and preservation of data. Crucial to this process is ensuring that all data is preserved and collected in a defensible manner, adhering to the Association of Chief Police Officers’ (ACPO) guidelines on digital evidence. Failure to collect evidence in the proper manner can result in it being deemed inadmissible. The four ACPO guidelines that should be adhered to are:
- Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
- Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Data collection is perhaps the most challenging of all the eDisclosure phases – outlined in the Electronic Discovery Reference Model (EDRM). It is based on the effective extraction of potentially relevant sources of electronically stored information (ESI) from its native source into a separate forensic repository.
Only trained digital forensic consultants have the skills and technology to accurately collect large volumes of data, without compromising it’s integrity – or indeed the metadata which is so often essential to investigation efficiency. Substandard or incorrect data collection methods are known to significantly increase the cost of investigations by as much as a factor of 10 (Source: 7Safe).
Types of ESI for Forensic Collection
Different data sources have different levels of accessibility and present different collection challenges. Here is a breakdown of five common categories of ESI that often need to be collected for eDisclosure:
- Active: Data that is used on a regular basis, such as email or other electronic documents that are stored on a local hard drive or network drive.
- External: Data that is created outside the scope of corporate networks or formal IT infrastructures, such as cloud storage, mobile devices and social media.
- Offline: Data that is no longer in active use, but has been stored or archived.
- Backups: Traditional backups or disaster recovery systems that are designed to store data in the event that it must be restored. These systems compress files, which makes them difficult to search and therefore, tend to present significant collection challenges.
- Hidden: Data that has been previously deleted or that is not readily visible to regular system users. These files are highly inaccessible, and attempting to recover them requires specialised forensic collection tools.
Approaches to Forensic Collection
There are various approaches organisations can take in collecting data for use in eDisclosure.
Self-collection is the riskiest of all approaches, which involves the employees at the company collecting data themselves. Without specific skills or knowledge in data collection, self-collection will very likely result in mistakes through misunderstanding relevancy, or overlooking important documents which may form key evidence. This approach should be avoided at all costs. Several courts have even questioned whether employee self-collection constitutes a “defensible” eDisclosure response (Source: Daniel Lim, Corporate Counsel)
The most common collection approach is an IT collection, involving members of the IT department performing the actual data collection at the direction of the legal department. IT collections can be very time consuming and keep IT professionals from other business-critical projects. IT professionals also tend to associate data collection with forensic imaging, and without clear guidance from the legal team on what specifically needs identifying and extracting, they tend to provide less data than what is actually needed for effective responses to be established.
The second most advisable option is to conduct a remote collection. This integrates a central system with the data sources to allow ESI to be collected remotely, avoiding the need for any direct interaction while vastly increasing speed and efficiency. Remote collections should be the preferred approach if the travel expenses associated with being physically present are cost prohibitive, the data is not readily or easily accessible, or when targeted collections using search and analytics technologies are appropriate.
Typically, the most advisable approach is to allow a professional to conduct on-site collection, especially when there are many custodian workstations all in one location, the data needs to be collected from complex systems over a period of days or weeks, or when full forensic imaging is necessary. While optimal data sets streamline the rest of the eDisclosure process to reduce costs and lead times throughout, the most significant factor is the impact on legal outcomes, ensuring that defensible responses can be provided.
Forensic Collection Methodologies
Each eDisclosure project comes with a specific set of requirements that should dictate how the data is handled and ultimately collected. The graphic below, originally from Exterro and Alvarez & Marsal’s infographic on e-discovery data collection, outlines the different types of legal matters and how ESI should be collected for each.
Forensic collection should be tailored to each individual case and is not a process that is supported by a single technology. There are a variety of tools that eDisclosure collection specialists will leverage, depending on the specific matter needs and priorities.
The Importance of Forensic Collection in eDisclosure
In nearly all instances, collecting data forensically is critical for the use in litigation or investigatory matters. Organisations that implement a sound disclosure plan and engage a neutral third party to assist in the management and execution of the collection, preservation and search efforts for potentially responsive data are positioning themselves to mitigate their risk.
Collecting data correctly is crucial in order to facilitate a defensible eDisclosure response being compiled. Organisations should ensure eDisclosure practices are undertaken that:
- Adheres to the Association of Chief Police Officers’ (ACPO) guidelines on collecting and preserving digital evidence;
- Considers the different types of ESI and overcome the challenges each pose;
- Considers the case specific set of requirements to select the most appropriate forensic collection methodologies;
- Establishes a tailored approach to Forensic Collection that takes into account wider demands, challenges and implications.
Failure to collect data in the proper manner will result in the eDisclosure process being inefficient and costly. Investigation costs can increase by as much as a factor of 10, with wider commercial implications including reputation and disruption to the business causing a substantial impact on operations.
Further commercial considerations include engaging with a single vendor who can perform all eDisclosure services and not forensic collection in isolation. Transferring data, communication, technologies or management processes between parties increases cost, time and the likelihood of mistakes to occur.
Ultimately, the most significant reason why organisations should undertake forensic collection correctly is to ensure the accuracy and defensibility of the eDisclosure response. Risking the success of a litigation or investigatory matter due to incompetent collection practices would be nonsensical.
Organisations should take care to engage with an eDisclosure organisation with extensive experience in collecting ESI across a vast range of sectors. If your organisation would like to know more about eDisclosure services or understand how we can help with forensic collection, then get in touch today.