TERIS/Arizona eDiscovery Expert Offers Tips for 2013: How Proactive Collections of ESI can be Used as a Cost Control and Risk Management Tool
Phoenix, Arizona (PRWEB) September 30, 2013 -- Within the last decade, use of digital forensics has drastically increased. The reasons for this are numerous, from data mining, to investigation, to simple preservation as an insurance policy against future litigation. "Proactive collections can be an excellent insurance policy for parties who are involved in litigation. Advances in technology provide low-cost and, more importantly, defensible options to fulfill Preservation Obligation" according to Frank Mancini, TERIS.
Digital forensics occurs in stages and understanding which stages need to occur in a given case is important and potentially will save you or your client from overspending. “A digital forensic investigation commonly consists of 3 stages: acquisition…analysis, and reporting.” Casey, Eoghan, Digital Evidence and Computer Crime, Second Edition.
Stage 1
Acquisition (collection) “involves creating an exact sector level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate.” Maarten Van Horenbeeck. "Technology Crime Investigation”, May 2008. Targeted forensic collections can also occur that net specific data such as email. Targeted collections are the most common and often the most useful scenario.
Recommendation: If you are or expect to be involved in litigation, targeted or full forensic collections are a fairly low cost hedge against spoliation or loss of important data that could be critical to your cause.
Acquisition is the most common digital forensic procedure because it leads to others by necessity. This is also generally the least expensive stage. Even if stages two or three are never reached, collection can provide an excellent insurance policy or negotiation tool to parties who are or could possibly become involved in litigation.
Recommendation: If you are or expect to be involved in litigation, by all means do either a targeted or full forensic collection as circumstances warrant. This is a fairly low cost hedge against spoliation or loss of important data that could be critical to your cause. Targeted collections, if they are sufficient for the matter, are preferable.
Stages 2 and 3
Stages 2 and 3 are treated together because analysis without reporting is not particularly helpful. Analysis is the process by which forensic experts utilize a variety of techniques and technologies to recover data and interpret the results. This goes beyond your typical ediscovery processing of known and obvious data and is a specialized service only done by very skilled professionals—ideally. “The evidence recovered is analyzed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons' terms.” M Reith, C Carr, G Gunsch, "An examination of digital forensic models". International Journal of Digital Evidence.
Recommendation: This is an expensive service. Before purchasing, be sure that you cannot gain the same results through “standard” eDiscovery processing and review. If you find that you do need this service, carefully consider your provider for proper qualifications and certifications. An important heuristic if you move forward with analysis is to narrow the scope as much as possible. Carefully consider which custodians and devices should be analyzed. While you do not want to miss anything important, irrelevant or repetitive information can cause costs to soar to astronomical levels.
Richard Saldivar, Principal, TERIS Arizona/Texas states "Mobile devices can provide a wealth of unique information such as GPS and location tracking, call logs, SMS information, pictures and other data that may not be available elsewhere."
Mobile Devices
Mobile devices are not a “stage” but they are a special consideration. Mobile devices can provide a wealth of unique information such as GPS and location tracking, call logs, SMS information, pictures and other data that may not be available elsewhere. Mobile data in the form of SMS aided in the exoneration of Patrick Lumumba in the murder of Meredith Kercher. Eoghan Casey. ed. Handbook of Digital Forensics and Investigation.
Recommendation: Mobile device collection is very costly yet the data contained on them is very elusive. If there is a reasonable chance that there is unique data you will need then an image of the device is recommended.
TERIS is a leading provider of information governance, ediscovery, litigation support and managed services solutions, across the United States and internationally. For more tips on how to maximize cost controls for digital forensics, please contact TERIS.
Karen Roane, TERIS, http://www.TERIS.com/offices/Austin, 602-241-9333, [email protected]
Share this article