Ediscovery Data Collection: Fact v. Fiction

Getting off to a good start in an ediscovery project or computer forensics investigation is paramount. This places extreme scrutiny on the left-hand EDRM activities – namely, identification, preservation and data collection. However, developing the proper collection strategy in a specific matter is anything but turnkey. There are a number of reasonable methods for collecting data, which are often dictated by the facts and circumstances of the case. If you are new to capturing data, or a veteran with many projects under your belt, take five minutes to brush up on these fallacies and facts around data collection.

1. Fiction: Bit-by-bit imaging is required for a forensically sound collection. Fact: As discussed by Nick Pietig, one of Kroll Ontrack’s consulting professionals, data needs to be collected with an eye toward preventing spoliation, while preserving metadata and ensuring defensibility. In most cases, a full forensic image is not needed and an active data capture will suffice for civil litigation. However, some matters (such as employment cases where a key player is suspected of intentionally deleting information) and some organizations (such as those in regulated industries or with global operations) prefer bit-by-bit imaging, because it is perceived to be the “safest" collection method, capable of standing up to rigorous scrutiny. Despite the type of data collection required, every collection must be forensically sound – meaning that all the files are preserved, along with the associated metadata necessary to prove that the information is authentic. To learn more, check out Nick’s data collection video.

2. Fiction: The volume of data collected is decreasing because of better targeting of key custodians. Fact: According to the 2015 edition of Kroll Ontrack’s “Pulse Benchmarks,” the average number of custodians in a data collection is decreasing, from 65 in 2008 to 16 in 2014. In no small part, this trend is likely due to the fact that cost-conscious litigants are leveraging new collection methods and advanced pre-filtering technologies, combined with more effective custodian interviews. However, the overall volume of data in a collection is relatively stable or even slightly increasing, with 444 GBs collected on average in 2008 and 482 GBs collected on average in 2014. Even though parties are collecting data more diligently and custodian counts per matter continue to decline, big data is driving up data volumes per custodian, resulting in increased data volumes per case.

3. Fiction: Once you collect data, it must be transported for further processing or investigation offsite. Fact: In many situations, after data is collected, it is transported to some other location for further analysis. However, there are scenarios where data cannot leave its premise. For example, some organizations, under certain circumstances, request that collection and filtering efforts be completed onsite to prevent the transport of irrelevant and sensitive data. In these situations, technology has evolved to collect, filter and process data onsite, so it never leaves the premises. Find out more about this mobile technology by reading a recent mobile discovery case study.

4. Fiction: Collection processes, once proven, need never change. Fact: Because security measures, operating systems and devices are constantly evolving, collection processes also need to continually adapt. For example, new encryption protocols across all types of devices – from mobile devices to the cloud – are resulting in freshened collection protocols. As such, collection professionals need to research new techniques, investigate tools and perform tests to ensure the collection will accurately capture targeted data. If you are interested in learning more, don’t miss Kroll Ontrack’s November 16 webinar, Mobile Device Investigations: From Android to iPhone and Back, where Jason Bergerson will boost your understanding of how to leverage data from mobile devices in a forensically-sound manner.