Computer Forensics and EDiscovery: Where one stops the other begins?

Written By

Sean Goldstein

I am a big believer in the idea that change can be a good thing, notice I say “can be” and not “is”. So it was with this thought in mind that I found my role and that of my team changing after more than a decade of working as a “Computer”/”Digital”/”Cyber” Forensics Investigator and Examiner in the military, other government agencies and as a civilian working for a large corporation. In early 2006 before the new FRCP (Dec 2006) went into effect, I was asked by my companies General Counsel to work with our litigation attorneys and support staff to help solve some issues concerning our ability to collect, preserve and review relevant electronically stored information (ESI) with a focus on unstructured data (laptops & PCs) and thus began my foray into the world of litigation support, specifically electronic discovery (eDiscovery). Over the years I’ve witnessed confusion about these areas (Digital Forensics and eDiscovery) when applied to corporate legal matters. However,   the process and the rules are more similar than most initially think and the only relevant difference lies with roles of responsibility, as I will attempt to represent in the scenarios below. Scenario 1: An employee gives notice that they are quitting and going to work somewhere else. During this notice period, the soon to be former employee is secretly copying documents, e-mails and files from the company owned system and network resources to take with him. Additionally, the employee is deleting other files from the system to cover his/her tracks and potentially cause harm.

This scenario would fall under the area of digital forensics. The role of the expert is to conduct the analysis of the data residing on the digital media and report the findings to the legal teams for review.  A forensic analysis will help determine what files were deleted and whether or not the employee was attempting to cover up what he/she was doing.  By reconstructing a timeline of what was occurring on the computer and when, often times the expert is able to identify patterns and areas of concern.  Without a full forensic investigation, crucial data such as link files, prefetch files, internet history and data residing in unallocated space as well as the registry (to name a few) would be overlooked. Scenario 2: A class-action lawsuit is served against a company based on multiple counts of alleged fraud in connection with certain business deals, profit forecasts, and representations made to shareholders and customers. Discovery covers a wide range of business records: Marketing materials, public statements made by company representatives, communications between members of the sales force and certain customers; all drafts of proposals; and various other items related to the allegations.

This scenario would be considered an eDiscovery matter; the role of the expert is to provide the information to the legal teams.  The data at issue is typically quite voluminous and the first step is to identify and preserve all the data necessary to the investigation.  Secondly, the data needs to be made available for review with direct guidance from the legal team.  From there the team can review the data by date, keyword, custodian, etc.   At the initial onset there is no need for a computer forensic investigation because the data is readily available.  However, should the need arise, and assuming a full forensic image of the media was initially collected, then a full forensic exam could be conducted as a next step. With this understanding and the realization of the similarities in these two areas, I guess it should not be surprising that what used to be considered two separate industries (Computer Forensics & Litigation Support Technologies) have come together to compete in the “all-in-one”, “end-to-end” eDiscovery market we see today and this evolution in my opinion was sorely needed. The following diagram serves to illustrate the features that have been available within both the digital forensics and eDiscovery tools on the market over the last eight years.  In 2004, there was very little overlap between digital forensics and eDiscovery as far as what these tools had to offer. Most forensics tools provided the ability to collect, process and analyze data to then be prepared and produced for review in an eDiscovery type tool.  In 2008, you’ll notice that the tools begin to overlap more which starts to blur the line between forensics and eDiscovery.  Finally, by 2013 the tools for both digital forensics and eDiscovery offer an almost identical range of features.  With the idea of early case assessment becoming more popular the need for a forensic tool that also helps assess and review the data as an initial phase approach is something that attorneys are requesting to help them determine risk, costs and to limit the need to review endless volumes of data. Let’s take a look: What does all this mean? Well in my opinion it shows continuity in both roles and technology that can be advantageous for any company or firm’s needs.  If you consider the advantages of having personnel that can perform both roles and match that with the capabilities of today’s technologies you would gain multiple efficiencies in cost, capabilities, time and quality. So be proactive and you will be much better prepared to react to issues that may arise within your corporation.