While the role of Computer Forensics has been growing in discussions about E-Discovery procedures, it has become apparent that many people don’t understand the essential differences between the two separate, but related concepts. Forensics is growing in importance as a key component in creating a defensible E-Discovery strategy when questioned by a judge because it provides validation that data is unaltered and in its original format. It is a part of the E-Discovery process that can no longer be ignored in the majority of cases, it should become an integrated part of all E-Discovery moving forward.
Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics. Discovery used to be solely a paper based operation, and most time was spent sorting and categorizing subsets of paper copies of documents (any other dinosaurs out there remember this?). Now, while discovery includes paper, it main focus is on collecting bits and bytes, along with metadata which describes a documents provenance, similar to a piece of art. Based on the Federal Rules of Civil Porcedure, the Sedona Principles and the current expectations of the judiciary, producing a “forensically sound” data collection is a growing concern.
Performing a forensically sound and a legally defensible data collection will require that a Certified Computer Examiner (CCE) be involved in the planning stages of document production. CCEs utilize computer forensics software and hardware to gather electronic data (data from computers, hard drives, disks, phone, tablets, etc…). The process of identifying, gathering, and cloning the data is called “forensic imaging” and is a vital part of proving that the data is being produced as it should be, without any changes, deletions or alterations. Essentially, forensically imaging of a data storage device is taking a snapshot of the data in its entirety and in its current configuration.
Part of this snapshot will include the unused space on your computer. This unused space may appear to be nothing of importance, but after analysis, a CCE may show that it houses deleted files that were never overwritten. In the normal course of computer use, you do not see any of this, but using computer forensic and restoration tools a CCE may reveal electronic files thought deleted and gone forever. The final advantage of a CCE is that they can testify in court as to the collection methods used on the data, providing verification that best practices were used on the data population, and they can explain any anomalies in the data.
E-Discovery is the discovery process as it applies to electronic records and is often referred to as ESI (Electronically Stored Information). Electronic Discovery consists of a complex system of processes, but for simplicity, the definition discussed in this post is “the actual processing of electronic data (ESI)”. Once collected by a CCE, the data must be processed in an eDiscovery platform in order to determine what data is responsive and should be produced. Essential steps include:
1. Extracting all the text to allow key word and concept searching.
2. Extracting all metadata (generally tracking data including times modified, accessed, created and items such as sent by, sent to, cc, bcc, dates, RE, etc)
3. Identification and isolation of files where data extraction is unsuccessful so that the files can be examined in their raw format.
4. Document review to determine responsiveness of documents in preparation for production.
In summary:
Computer forensics are for collecting, preserving, and finding and restoring deleted data that is key to litigation, creating a reproducible set of steps that captures how a production of data has been conducted. There are not many certified CCEs in the country, make sure that your team consults with one before implementing a strategy for data collection and production. E-Discovery services are for processing, culling, and delivering data that has been captured. This area also requires expertise that can be found with a consultant if your in-house team lacks the appropriate experience to handle it efficiently and cost effectively
While this is a simplified description of the complicated steps involved in data production, it should provide a preliminary discussion for those of you new to the E-Discovery process.
Craig: Thank you very much for taking the time to read our blog and respond to its content.
Your point is well taken, CCE certification is “NOT” required to perform a forensically sound and legally defensible data collection as was stated in the posting. The point I should have made is that there are particular processes and procedures that must be followed in performing a forensic collection, and that certification is merely one way to help assure the court that these steps are understood and followed. There are many capable examiners who are not CCE certified. What they all have in common is an approach and process that results in a defensible data collection.
We always look forward to continuing the discussion and attempting to put forth the most accurate information possible for the industry. This posting was meant to be a starting point to inform people about the importance of forensic examination and gathering, as well as its growing role in EDiscovery. Imaging and undeletion are simply examples of the types of activities that can be performed. Our goal is to provide information and stimulate discussion about important topics for consideration.
To that end, we would appreciate your further input and would like to offer a guest column posting from you on this topic. This would help move the discussion forward and provide education to the industry. Thank you again for your feedback. We look forward to hearing from you soon.
Posted by: Jeff Parkhurst | April 21, 2011 at 03:03 PM
I have to disagree with this post on several fronts. Forensics entails much more than simply imaging and undeletion. The crux of computer forensics is analysis of data and metadata to address issues implicating computer usage and human and machine behavior. Much forensics requires no undeletion as the probative data and metadata need not be deleted to be enlightening. Areas such as registry hives, LNK files, prefetch, logs and volume shadow copies aren't routinely deleted, yet they play a crucial role in many computer forensic investigations.
Additionally (and though I am a CCE-certified examiner and hold the cert in high esteem), "[p]erforming a forensically sound and a legally defensible data collection will" *NOT* require the involvment of a CCE anymore than the handling of a personal injury case "requires" the involvement of a board certified attorney. There are plenty of capable examiners who are fully qualified to undertake defensible forensic collection without CCE certification. Plus, there are other viable certifications on par with CCE (i.e., EnCE). Telling readers that forensic collection "requires" a CCE is misleading and self-serving.
Posted by: Craig Ball | April 13, 2011 at 11:59 AM