Forensically Sound Data: What Does IT Need to Do?

By Guest Author Print this article Print
Forensically Sound Data

Learn about the admissibility of electronically stored information and what IT can do to reduce rising costs associated with ESI collection, storage and review.

Criminal: It may sound odd to discuss criminal matters in the context of what a corporate counsel and IT department must do for purposes of preservation, but it is more common than most people think. Corporate fraud, employment issues, theft and all manner of white-collar crime often are first discovered by insiders and frequently treated as a fact-finding effort by management.

Internal investigations must often handle evidence. In these cases—especially when the person(s) under investigation have or control the electronic evidence—IT departments must take extra care not to alter the evidence and to obtain enough evidence to reconstruct potentially deleted or altered files. And they must do this while maintaining a rigorous chain of custody.

Targeted Collections Versus Collect-All  

The key difference between targeted versus collect-all approaches is that targeted collections involve some form of prescreening and information gathering related to exactly what is relevant and limiting the collections efforts to only those files. Often, even targeted collections will cast a broad net in terms of date ranges, document types, data storage locations and even specific individuals. However, the benefits are an overall reduction of known non-relevant information. If you don’t have to collect it, you don’t have to review it and store it.

Likewise, the collect-all approach has two aspects: In a true bit-by-bit (or physical image) of the source media, a specialist is able to make an exact copy of the source: active files, deleted files and slack space (portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file). These types of collections are important in situations where you may need to reconstruct file fragments to discover prior versions of a document, or reconstitute evidence that may have been altered or destroyed. In these cases, a physical image gives examiners the ability to tell more of the story with the evidence.

Not all matters require that level of analysis, but searches may still benefit from a more comprehensive approach than a targeted collection. In those cases, counsel and IT may opt for a logical image of a piece of media, collecting all active files and potentially non-fragmented or overwritten “deleted” data, without preserving fragments or slack space. Using this technique still gives examiners the ability to review operating system activities and determine use patterns or user activities from logs, while ultimately reducing the amount of unnecessary data collected or stored.

What Does IT Need to Do for Legal?

IT professionals are in a unique position to substantially limit both the amount of electronically stored information collected and the associated document-review costs by matching the collection methodology to the class of matter. In doing so, they can employ a variety of technologies, depending on the particular phase of the e-discovery process.

Identification: Often, the first opportunity to limit ESI collected is during the identification phase of e-discovery. A key component of an ESI reduction strategy is eliminating from consideration any repositories that are unlikely to contain implicated ESI. At one time, creating a directory of an organization’s ESI ecosystem—known as ESI data mapping or content mapping­—showed great promise toward this end.

However, map creation required extensive interviews with data stewards, followed by the distillation of the results into spreadsheets. Keeping the map evergreen required the same process and ultimately proved to be inadequate. Today, data mapping can be largely automated with off-the-shelf software, offering the evergreen quality necessary for a useful map.

Data mapping can be effectively paired with employee interviews, whereby an automated survey system is used to ask employees who are likely to be named as custodians whether they know of anyone else who has potentially implicated electronically stored information. This iterative survey process offers the ability to narrow down and limit the custodian set to those whose ESI should be preserved.

Preservation: During ESI preservation, legal team leaders must often decide whether to merely tell custodians not to destroy potentially implicated ESI (and hope that they do so), or pre-emptively collect it—the so-called “collect-to-preserve” strategy. A more recent approach is to use in-place preservation technology, whereby custodian ESI is flagged as being under a legal hold.

This article was originally published on 2014-10-07
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.