E-Discovery and Computer Forensics – How are They Different?
Introduction to E-Discovery
E-discovery is the procedure by which parties involved in a legal case collect, preserve, review and exchange information in electronic format to use it as an evidence in that case. The parties involved in the case are required to exchange information and evidences in State or Federal courts, coming in the form of either recorded interrogations or testimony. Whether emails, spreadsheets, documents or any other electronic file of potential evidentiary value for investigators or attorneys, the court has identified it as admissible evidence.
E-discovery also involves sifting through a large amount of data to reduce redundancy and useless information. The data is brought to a single location so that it can be viewed by investigators and lawyers. This particular step in the process does not recover hidden or deleted data.
Learn Digital Forensics
Typically, an E-discovery process includes the following steps:
Step 1: The process begins by creating and retaining ESI (Electronically Stored Information) according to ERM (Electronics Records Management) program and enforceable electronic records retention policy.
Step 2: Relevant ESI is identified and then preserved so that the gathered data cannot be destroyed or altered.
Step 3: Now, the ESI is further processed and filtered so that useless information and duplicates are reduced. When the volume of ESI is reduced, it also reduces the costs.
Step 4: The filtered ESI is reviewed and analyzed for the privilege.
Step 5: The remaining ESI is produced after excluding irrelevant, duplicate and privileged data. The ESI is produced in a specific format.
Step 6: This step involves a clawback agreement of the ESI and getting it approved by the court. Clawback agreement is an integral part of any production that involves ESI. Incorporating this agreement is a part of the court order. This agreement requires the parties to agree that unintended production of privileged information will not automatically constitute a waiver of privilege.
Step 7: If the case hasn’t been settled, then the E-discovery is taken to trial.
Computer Forensics vs. E-Discovery
Since both involve electronically stored information, many people think they are one and the same. The primary purpose of E-discovery is to collect active data and metadata from hard drives and other forms of storage media. This data, however, is limited. Computer Forensics is then used to perform a deeper recovery. Computer Forensics autopsies the hard drive and looks for hidden folders or unallocated disk space for identifying who, what, where, why from a computer. If there is not enough basic evidence accessible from a computer, then Computer Forensics is performed. The techniques used in forensics to gather legal evidence require specialized training. It is a more specific discipline that involves the analysis of electronic devices and computers to produce legal evidence for a crime. It involves technical procedures like data carving. Computer Forensics is used in fraud investigations, employment cases, civil ligations, criminal prosecutions, white collar crimes and even divorce cases.
What type of data is gathered by Computer Forensics?
It is the process of retrieving both accessible and inaccessible data like:
- Automatically stored data, for instance, a file that was purged from the server and its copy still exists on the hard drive of the user.
- Files that were deleted by the user and not destroyed. These files stay on the hard drive until they are wiped or overwritten.
- Ghost data which is not readily accessible but recoverable.
- System data which gives an electronic trail of all the activities performed on the computer or the network.
- If wiping software was used on the computer to wipe data, then it can be detected using computer forensic software.
How Did E-Discovery help Google win over Oracle?
Remember when Oracle sued Google for infringing its copyrights by using its Java code in its Android OS? Google won this six-year battle through the E-discovery process. The company gathered multiple emails and presented it to the jury. Among the evidence was an email from the Chief Engineer of Google who suggested negotiating the license from Java. Another email revealed that Google bigwigs requested an alternative OS similar to Java be researched.
Common challenges facing E-discovery
E-discovery is a remarkable way of gathering legal evidences but there are some challenges associated with it too. A good thing is that technological progress is here to mitigate them too. Some of the common ones are:
Large volume of data
It is not easy to filter data when there are too many files to go through. What to pick and what not to pick can affect the quality of the evidence.
It’s expensive
E-discovery process can be complicated, expensive and time consuming. When dealing with complex transactions, fraud or dealing with a long history of communicating among the parties, the cost of e-discovery goes up. Processing ESI can be expensive because of the degree of accuracy required and there is a lot work to be done that too quickly. Certain tools and software are used to extract data which are costly themselves. Plus, experts are required to perform data recovery who are specially trained for this purpose.
Cloud e-discovery is not so easy
A number of challenges arise with cloud e-discovery starting from identifying the physical location of the server to determining the ownership of these servers which further leads to third party data discovery challenges. There is a widespread assumption that the information stored on cloud is easy for an organization to extract but it is not always the case. There are a number of places on the cloud where ESI can live. As per the Federal rules of a Civil Procedure, the party to litigation has to preserve and produce ESI which is in its custody, possession or control. When it comes to cloud, these duties are split. The ESI might not be in your procession or control. Depending on the relationship a company has with its cloud vendor, it may not know where exactly the data is stored. Even if you it does, it is extremely difficult to access the information in time and in the right format. If the company loses control over access to that particular data, the attorney of the opposing party can even send a subpoena to the company or even the cloud provider, making things more complicated.
Learn Digital Forensics
Conclusion
Computer Forensics and E-discovery are two different procedures. When an investigation requires simple information, whether about an individual or business, E-discovery can be really useful. However, if the investigation grows and information needs to be uncovered, then Computer Forensics is used. In short, a legal team can benefit if both these processes are used hand-in-hand.
In this Series
- E-Discovery and Computer Forensics – How are They Different?
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics