Computer Forensics vs. eDiscovery: What Does Your Case Need?

At a recent legal technology trade show I was overwhelmed at how many computer forensics and electronic discovery (aka eDiscovery or E-Discovery) companies are out there peddling services. I say peddling because many of them are brokers of the services and have never actually performed the service. Many of these brokers have mastered the basic lingo, so it is hard to tell they are not genuine providers. Upon asking the brokers I met — “what’s the difference between electronic discovery and computer forensics?” — I often drew blank stares, with several of them giving answers containing verbiage well outside their comfort zones. After being in this industry for over 18 years, and having spent 14 of those years at New Jersey Legal, the firm I founded, I feel the need to communicate some of the basic principles of forensics and electronic discovery with our clients. New Jersey Legal services over 500 law firms across the state annually, so I hope this reaches and helps some of you. I have diligently kept up with both computer forensics and electronic discovery by consulting with clients, attending classes, and sitting through countless “webinars” and seminars. From this variety of education, New Jersey Legal has developed educational manuals and offers courses on these services. My goal is to help you understand more about computer forensics and electronic discovery by presenting concepts as simply as possible. In subsequent blog posts I will gradually advance the concepts and the technical issues giving everyone a more advanced feel for both computer forensics and electronic discovery.

What are the general differences between computer forensics and electronic discovery services?

COMPUTER FORENSICS:

Computer forensics (technical definition) – is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics.

Not long ago, discovery consisted mainly of gathering paper documents, but today, it means not only collecting paper, but also collecting any related electronic data. If you think of the lifecycle of a legal case in 2009, most of the cases have to start with a forensically sound “Data Collection.” For this blog post we are going to keep it simple and limit the electronic data in this scenario to three main categories.

1. Loose electronic files (word docs, spreadsheets, PowerPoint files, etc… for example, what you might find in your “My Documents” folder)
2. Image files (Tiffs, jpegs, PDFs, etc… for example, photos or scanned documents you may have saved on your computer or attached to an email)
3. Email files (Mainly PSTs – these are electronic container files that may include emails, attachments, contacts, calendar items, etc… )

Performing a forensically sound and a court defensible data collection will require a Certified Computer Examiner (CCE). CCEs utilize computer forensics software and hardware to gather electronic data (data from computers, hard drives, disks, etc…). CCEs testify in court as to the collection methods used, they verify everything was collected, and they explain any issues or anomalies in the data if there were any. The process of identifying, gathering, and, in theory, cloning the data is called “forensic imaging”. When the CCE is “forensically imaging” a data storage device, they are basically taking a snapshot of the data in its entirety and in its current configuration. Part of this snapshot will include the unused space on your computer. This unused space may appear to be nothing of importance, but after analysis, a CCE may show that it houses deleted files that were never overwritten. In the normal course of computer use, you do not see any of this, but using computer forensic and restoration tools a CCE may reveal electronic files thought deleted and gone forever.

ELECTRONIC DISCOVERY:

Electronic Discovery, eDiscovery or E-Discovery is the discovery process as it applies to electronic records. These electronic records are referred to as ESI (Electronically Stored Information). Electronic Discovery is complex, but for simplicity, in this first post, we will define it as is “the actual processing of electronic data (ESI)”. For this E-Discovery example, let’s say our ESI (electronic data) was first collected or “imaged” by our CCE. Now we have to process the data in our eDiscovery platform. In this simplified example, the process will include the following:

1. Extracting all the text to allow key word searching.
2. Extracting out all of the metadata (metadata is “data about the data” – Medadata fields most commonly utilized in loose files are MAC times – modified, accessed, created. Metadata fields most commonly utilized for emails are – sent by, sent to, cc, bcc, dates, subject, etc…)
3. Identify any files where text extraction was not possible. Further processing will be needed for these files and this processing will be explained in a future blog post.
4. Cull down the data set by keyword, date range, and custodian searches.
5. At client’s request, export out all the relevant data and load files for Concordance, Summation, etc., or host the data on our web based platform, ImageDepot.
6. Once reviewed for privilege, we can export just the responsive data. This data is exported along with a specified “load file” that will allow the party receiving the data to load, into their system, all the records along with the associated metadata for each record.

Again, keeping it simple…

In short, computer forensic services are for collecting data, preserving data, and finding and restoring deleted data. E-Discovery services are for processing, culling, and delivering data. These simplified concepts should help get you started and serve as a guide when strategizing as your case begins.

Gary Overman
President
New Jersey Legal™

No related posts.