The scope of eDiscovery might be small at first—limited perhaps to a single computer hard drive, a single email account, a single mobile phone. You might have a gut feeling that relevant ESI may be found in other locations, on other devices, but without good reason, you cannot make a reasonable claim to acquire these devices. This changes when you leverage digital forensics expertise to find links between sources of ESI and prove their relevance to the case at hand.
What Is Digital Forensics?
As a codified industry, digital forensics has been around since the early 1990s. Gillware Digital Forensics’ president and co-founder Cindy Murphy has over 19 years of experience in the field. According to the DFRWS (Digital Forensics Research Workshop), digital forensics is “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events.”
Computer forensics uses scientific methods to collect and preserve electronically stored information (ESI), primarily from computer hard drives, and validate, identify, analyze, interpret, document, and finally present this data. Generally, but not always, digital forensics is performed in conjunction with a criminal or civil court matter. Digital forensics can be used to determine whether or not something happened: for instance, an ex-employee messing with a company-owned laptop while on a business trip in Belize.
Digital forensics can also uncover proof on a given device, such as a computer hard drive, that other relevant devices (such as a USB thumb drive plugged into the computer) exist and are within the purview of the investigation.
How are Digital Forensics and eDiscovery Related?
Electronic discovery, also known as eDiscovery or E-Discovery, refers to the discovery of ESI in legal proceedings such as litigation, as well as government investigations and FOIA requests. Electronic discovery follows the rules of civil procedure and agreed-upon processes. eDiscovery often involves review for privilege and relevance before any data is turned over to the requesting party.
Collecting ESI differs from collecting information on paper, requiring a different approach to collection and analysis. Electronic evidence is intangible, it exists in far greater volume than information on paper, and is transient and persistent compared to non-electronically stored information. Furthermore, electronic information carry with them metadata that can itself play an important part as evidence—for example, a document can contain metadata indicating when it was created and by whom, as well as the date it was last modified.
The differences between ESI and paper information mean that ESI requires a different approach to discovery, especially to prevent evidence spoliation. The standards for eDiscovery are laid out in the EDRM (Electronic Discovery Reference Model), which serves as guidance for gathering and assimilating ESI.
Electronic discovery and digital forensics are highly related fields. Both involve preserving, collecting, processing, and producing data, and the tasks needed to be done by eDiscovery consultants often require a great deal of forensic skill and insight. Digital forensics plays a huge role in identifying additional sources of ESI in an eDiscovery situation.
Leveraging Digital Forensics to Identify Additional Data Sources
The rules of eDiscovery rely heavily on keeping requests. The scope of eDiscovery is essentially the same as discovery in general: parties can seek discovery of non-privileged information relevant to any party’s claim or defense and, for good cause shown, “information relevant to the subject matter involved in the action.” Digital forensics experts can examine one source of ESI and find connections relevant to the case at hand to other sources of ESI, allowing these sources to be acquired and analyzed as well.
For example, in a computer forensics case, we can identify USB devices (such as external hard drives/SSDs or USB thumb drives, including personal devices the litigants were previously unaware of) that have been connected to the computer, and potentially even identify which files were saved to these devices. Forensics experts like those of us here at Gillware Digital Forensics can do the same with cloud storage accounts as well.
Digital forensic investigators can also identify email accounts used to exfiltrate data (in cases of potential data theft) or communicate about the matter under litigation. Mobile devices such as smart phones connected to a computer may also contain backup files, exfiltrated data, or other evidence of wrongdoing, and a forensic investigation may allow those to be brought into the fold as well. A computer forensics investigation may also turn up new relevant sources of ESI, including link files and other metadata that could shed light on unauthorized access to particular files, plagiarized file contents, or other examples of misconduct.
Starting out, your idea of the scope of a case might start out small. But utilizing digital forensics expertise will provide a clearer and better idea of the true scope of the case. By leveraging digital forensics, the scope can be widened as we discover new relevant sources of ESI to investigate.