Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2012-01-20 06:00:27Format, images and links may no longer function correctly. The astronomical growth in corporate data has driven the practice of eDiscovery away from just the forensic imaging of physical hard drives. The first systems for remote collection of email containers, Office files and other ESI from desktops, laptops and servers appeared in the 2004-2006 time period. I might have been one of the earliest beta testers for Guidance’s Encase Enterprise platform when I was managing the litigation technology for El Paso Corporation back then. Since then, the market has seen a wide variety of new appliances, just-in-time apps and other remote collection technologies. Most appear to promise a ‘push button’ automated collection by IT or Legal with minimal or no impact to working users. Legal sets the scope (date ranges, file types, names or search terms), and the system does all the work in the background. I just wish that it was that easy in the wild west of real world enterprise environments.
On a recent engagement, we consulted on an initiative to collect full preservation copies of all PST or other email containers from all users under legal hold before a big retention management project rolled out. After reviewing the options, remote collection software was chosen and purchased. I had good recent experience with this particular software from two other clients, so the team skipped the usual pre-purchase testing and jumped into action to meet a looming deadline. This is where the universe reminded me that every environment can pose unique challenges.
Challenge #1 – Target Diversity
Remember that there may be dozens of different hardware/OS combinations across your custodians. Continual upgrade cycles, legacy laptop builds, unusual file systems and ongoing M&A integrations all can throw monkey wrenches into testing your collection process. You usually will test for XP and Windows 7 targets, but what about that one exec who insists on a Mac Air? Just expect that some of your custodians may have non-standard hardware/software builds that you cannot test ahead of time, so have a contingency plan for the outliers.
Challenge #2 – Security, Security, Security
Modern corporations are learning about corporate espionage the hard way. They wage a constant fight against evolving penetration attempts. Many IT departments have reacted by simply locking everything down as hard as possible and waiting for users to scream when they cannot function. Virus and intrusion prevention systems will see the actions of a servlet, run-time executable or sudden new service as a potential threat that has to be isolated and blocked. Most users do not have the authority to shut down these systems and many may not even have the rights to even execute the collection application. It is important to ask about the Active Directory structure to identify potential issues from multiple domains. I have also found Windows Volume Shadow Copy Service (which enables background copying of files in use like locked PST files) to be disabled by security as a potential vulnerability.
Challenge #3 – Network Bandwidth
We tend to assume reasonable bandwidth between target machines and your network collection repository. Unfortunately, bandwidth can vary dramatically depending on physical location, backup windows and ongoing migrations. It is critical to try to establish your best estimate of collection throughput (GB/hour) and set user expectations on how long the collection MAY take in worst case conditions. Besides the network bandwidth, remember that collection rates are also controlled by the target and destination read/write speeds. Think hard about your collection storage and what effect hundreds of simultaneous collection jobs may have when they are all trying to write to the same network share.
Challenge #4 – A Truly Mobile Workforce
Consider this scenario. You ask custodians to start their collection before leaving for the day or going to a long lunch. An hour later their laptop/desktop power settings decide to put it to sleep. Custodian comes back and the collection starts back up or crashes. Many executive users are never far away from their laptops and will resent asking them to be off of email for several hours. My client struggled to understand why a particular collection kept crashing out, only to find out that the custodian was on vacation and it was running from a hotel over a VPN connection.
Challenge #5 – Volume (Be Careful What You Ask For)
Custodians rarely know the volume of ESI that they are hoarding. Now that we can reach it, be careful that you are prepared for the flood of 10 GB PST file, bloated Powerpoints and extraordinary Excel files that may swamp your collection repository faster than you can process the ESI. Take your worst case estimate and double it, at least. Think through your entire process of collection, quality control, processing, migration and the final cleaning off of your repository. Warn your IT group about the sudden flood of data that might stretch your backup windows to the breaking point.
All of these challenges (and many more) should not have you ordering write blocks and external hard drives. Every different remote collection methodology has advantages and limitations, but most deliver on their promise when thoroughly tested in your environment. Just realize that you need a flexible process and active communication with custodians, IT and counsel to work your way through the unexpected roadblocks that real world environments will throw at you. Got any good remote collection stories? We love to hear about your challenges and how you overcame them.