Forensic collection of electronically stored information
1. Forensic Collection of Electronically Stored
Information
By James Cortopassi
Posted November 9, 2015
In eDiscovery
0
0
A forensic collection is the acquisition and preservation of digital data. The collection is
an integral part of the eDiscovery process, and collections can be full (bit-for-bit) or
pointed to a subset of all data, depending on the case requirements. Once validated, a
defensible collection workflow can be offered for one’s case. The collected electronically
stored information (ESI) will then be culled, analyzed, and further validated, as needed.
Now, the culled data-set(s) can be prepared for review, coding and production during
litigation.
Where does the data come from?
The collection can be compiled from various sources. Anywhere that data can reside, data
2. can be found. Data can be collected from devices such as but not limited to; servers,
desktop computers, laptops, external hard drives, smart phones, and tablets. Additionally,
cloud-based applications (e.g., social media, web-share platforms, and certain email) can
be accessible by forensic professionals. Today, even deleted data can be recovered and
made available for review and analysis.
How is data collected?
When litigation presents a need for the collection of ESI, there are a several different
methods that can be exercised by a forensic professional.
• In-Person ESI Collection
This method involves an in-persona meeting with a forensic professional. The
forensic professional will be able to acquire data from multiple sources,
simultaneously, and immediately address any shifts in collection-scope. The
client’s IT team will typically assist in mapping the data retention infrastructure
prior to the acquisition taking place, in order to allow for a more seamless, efficient
approach to the collection efforts.
• Self-Collection Kit
3. This method is becoming more common amongst forensic professionals and their
clients. Like the in-persona approach, this method of collection can range from a
specific pointed location of interest to an extensive, broad acquisition of all ESI
available. This method is viewed favorably for its quick delivery, convenient hours
of collection, and cost-effectiveness.
• Remote Data Collection
Similar to Self-Collection Kits but requires a secure remote internet connection to a
designated server. This method must overcome the barriers of company security
policies restricting such access, and typically requires more oversight and IT
compliance than a self-guided kit.
Regardless of the method of collection one implements, all forms of forensic acquisition
will produce comprehensive reports and details as to the data-management approach best
suited for the matter. Typically, the forensic collection team will confer with the
attorneys as to the findings, and how the recovered data should be treated, considering the
scope, budget and exposure of the case at bar. Once data has been collected, data
culling methods can resume in order to narrow the review set even more.
The Benefits of a Certified Computer Examiner
There are many advantages of contacting a Certified Computer Examiner (CCE). The
data collection process can be overwhelming to some and, accordingly, should be
conducted by trained professionals. These trained professionals use the latest forensic
tools and procedures, as to avoid data-manipulation or spoliation. A CCE will be able to
guide through the data and present an outline. Those who contact a CCE for their services
should feel assured that they are moving forward in a legally defensible manner.
Educated:
In order to have become certified, these professionals must have completed courses and
have at least 18 months experience with collection tools. Every two years the professional
must re-certify their certification.
Fair:
As per The International Society of Forensic Computers, a CCE must “Provide a fair,
vendor neutral, uncompromised process for certifying the competency of forensic
computer examiners. ” This requirement will benefit any party looking for a CCE to
4. validate information for their case.
Defensible:
A CCE will be able to draft reports in-line with their independent findings. As a result of
the data acquisition efforts; such reporting will include details regarding the data sought,
location(s) where data was stowed, method(s) of collection, findings as to the clients
depicted scope and requirements, and the ability to defend such procedures at the trial or
hearing (by the way of testimony, if necessary).
Preservation and Security
When it comes to the integrity and authentication of the collected data, a proper chain of
collection/custody log will be established. The purpose of the log is to present
documentation of how the data originated. The log will detail how the data came to be
collected, the analysis of the data, and how the data was kept preserved until trial. The
chain of collection/custody log will corroborate the authentication of the evidence, as any
altercations to the data will need to be logged.
At LITeGATION we know the process of eDiscovery and how important it is to gather
forensic collections. No matter what the platform or device, our Certified Computer
5. Examiners (CCE) are prepared to help you develop a collection workflow, initiate the
proper data-acquisition, and get you prepared for the analysis of you responsive data.
For forensic collections or any litigation support service, contact to us today for a free
consultation.
James Cortopassi
James Cortopassi brings nearly 20 years of eDiscovery experience to his practice as a
leader in litigation support and eDiscovery coordination. Mr. Cortopassi has managed
thousands of cases involving forensic collections, data processing & hosted solutions,
managed document review, ESI productions, trial technology services, and workflow-
innovation.
6. Examiners (CCE) are prepared to help you develop a collection workflow, initiate the
proper data-acquisition, and get you prepared for the analysis of you responsive data.
For forensic collections or any litigation support service, contact to us today for a free
consultation.
James Cortopassi
James Cortopassi brings nearly 20 years of eDiscovery experience to his practice as a
leader in litigation support and eDiscovery coordination. Mr. Cortopassi has managed
thousands of cases involving forensic collections, data processing & hosted solutions,
managed document review, ESI productions, trial technology services, and workflow-
innovation.