Migrated from eDJGroupInc.com. Author: Barry Murphy. Published: 2010-04-09 12:22:12 In an earlier post about forensic data collection, I put forward the notion that forensic collection is about defensibility. Too many people equate forensic data collection with full disk imaging, but that is oversimplifying the issue. Full disk imaging can be overkill for civil litigation depending on the merits of the case, as most data collection vendors will be quick to point out. However, just because litigation is in civil court, it doesn’t mean that full disk imaging won’t be required. The fact is that each organization needs to assess the importance of the case, its ability to reasonably collect and preserve potentially responsive information, and the potential for non-cooperative custodians.For many organizations, the driving force behind implementing in-house eDiscovery solutions is cost reduction. So how do they balance the science behind electronic evidence with the force of the business process and costs associated with it? For litigious organizations, it was not uncommon to roll out disk imaging on an almost enterprise-wide basis. That led to over-collection and extremely high processing costs. Some CIOs will reasonably ask how implementing in-house collection will provide ROI when disk imaging might still be necessary. My response to that would be that a good infrastructure for collection and preservation will pay off quickly, and that if disk imaging is required, it will be minimized. This, of course, assumes that the infrastructure is complemented by the right policies and procedures. Organizations with solid collection tools and processes will find that disk imaging can be integrated seamlessly into the process. For example, if an organization wants to take images of the five most important custodians in a case just to be on the safe side, they can simply extract the potentially responsive information from the disk images and combine it (and deduplicate it) with their collected set for a given matter. In the past, organizations would have imaged all custodians’ machines; in this example, they can minimize disk imaging.So, it seems relatively simple, right? Well, in reality, it is still a complicated process. I had a chance to speak with Lance Sloves, a Director at Computer Forensic Services, Inc. about this problem. Lance is a Certified Computer Examiner (CCE) and consultant to the legal and corporate communities in computer forensics and eDiscovery processes and procedures, having worked in forensics and law enforcement for two decades. Sloves points out that, first, it’s fairly rare for any organization to have well-rounded or proper policies and processes in place for good, defensible collection – that is just the way it is. Second, few organizations possess the expertise in proper data and forensic collection that is required in today’s eDiscovery market. The fact is that many litigators are getting smarter and smarter about collection – and some can smell blood when something has not been properly vetted. And I’ve yet to meet an IT manager who relishes the thought of being an expert witness (and knowing all about the Federal Rules of Evidence and being able to withstand an unpleasant Daubert challenge).Sloves’ advice to organizations when it comes to proper forensic and data collection is to make sure the right expertc help is in place. It’s possible to have properly trained and experienced people working internally at an organization, but the reality is that many work for forensic consulting companies or as independent consultants. It often makes more economic sense for them to do so. Some good reasons to rely on experienced experts include:
- They understand that there is so much more to think about than the traditional information sources in collection – External USB devices, webmail accounts, social networking sites, cameras, phone, other periphery devices, etc. Not only do they understand this, but they have proven methodologies for documenting these sources and collecting from them.
- They are experienced working with litigators on a daily basis and can give expert testimony and expert reports, which can properly document and ensure the admissibility of electronic evidence and help defend against spoliation claims (and happens to be activity that most organizations don’t want to leave to internal resources).
- They are knowledgeable about both legal rules and precedents as well as computer science and collection methodologies.
Again, forensic experts can be either internal resources or external consultants, but what’s important is that an organization have access to them and make use of them as needed. We’re continuing our research into how forensic collection fits into broader information governance strategies – if you have perspective to share, please email me.