Data Collection - How to be prepared
Pro-active lawyers are using technology to help them to combat the challenges it creates. They are implementing computer forensics techniques to assist in the management of electronic evidence sets, to facilitate significantly more focused reviews on only the most relevant information. With an ever diversifying evidence landscape, those considering data collection should be aware of the significant challenges. While an outside electronic evidence expert can prove highly valuable in data collection, there are several issues that can be addressed by lawyers even prior to an evidence collection process.
Evidence Landscape
Collecting electronic data can be a complex task in any computer forensic investigation due to the wide variety of electronic storage locations, the vast amount of data available and the ever increasing file types used. Initial data collection steps can be the most critical part of the investigation, and errors can be costly for a case or investigation. Identifying the most relevant electronic evidence can be a complex process but with external technology experts and an understanding of their clients’ IT systems, lawyers are managing data collections in an effective, systematic approach.
There are specific areas lawyers should examine when seeking to conduct a data collection that will provide more details as to whose data is really necessary, where the data is located, how much data might need to be collected, and more importantly the potential challenges and risks involved. The main consideration areas and examples of questions that will help identify more relevant documents and data include:
Retrieving Data
Once the location of the relevant data is identified, it must be retrieved. Computer forensic experts can retrieve data from virtually all storage and operating systems, including many antiquated systems. Using proprietary tools, external experts can collect a wide range of data as well as:
- Retrieve data from seemingly inaccessible media
- Access active data on the media
- Recover deleted data and/or deleted e-mail in many cases
- Access inactive and unused data storage areas of various computer media and retrieve potentially important text
- Access password protected and encrypted files
- Gather information from databases, contact managers, electronic calendars and other proprietary software
Regardless of how the data is collected, a forensic copy of all media (computer hard drives, servers, disks, etc.) must be made using appropriate and usually proprietary imaging software. This imaging process provides clients and computer forensic investigators with a “snap-shot”, or mirror image, of the data contained on the media, and ensures alterations to the original media are not made.
The imaging process is non-destructive to the data and does not require the operating system to be “booted”, which ensures the system is not altered in any way during the imaging process, thus preserving its evidentiary value. Many lawyers and IT professionals are unaware that the mere act of booting a computer will damage critical evidence and may change metadata, such as create dates or modified dates associated with particular files. Also, booting the system may cause the hard drive to be reconfigured in a way that overwrites data that would have remained more accessible if the “boot” did not occur.
Copying Data
Several data collection options are available, and the best method will vary depending on the specifics of the situation. Data can be retrieved through the use of data copying software, data harvesting tools or mirror imaging technology. Data copying, which can be conducted using standard tools like Windows Explorer, retrieves only active data. As copying will almost always change some metadata properties, such as the last access date and time of files, it should not be used for collection if a forensic investigation will be conducted on the data. Additionally, copying will fail to collect certain types of data, such as deleted data, that are typically needed in a computer forensic investigation. Copying may also be problematic if a user attempts to copy “0-byte” files because the copying process will usually fail, necessitating a re-start or piecemeal copying operation.
Data harvesting uses specialised tools to capture active data without changing any of the metadata. While data harvesting maintains metadata properties, it does not retrieve deleted and/or partially overwritten data. Issues associated with the use of enterprise harvest tools for initial searching and collection from local hard drives include complexity, cost of implementation and support of software products currently available, network loading, employee morale, evasion concerns and chain-of-custody challenges. Advantages include centralised management, rapid response and low profile data collection.
While data copying and harvesting may be appropriate methods for gathering data during an electronic disclosure project, they are typically insufficient for purposes of a computer forensic investigation as they do not necessarily preserve the evidentiary value. Much archived and historic data will, however, be stored on back-up tapes. In certain cases, this can mean thousands of tapes will be needed to make up a true picture. It is not always necessary to restore all tapes in a collection though and it can be far more cost effective to work with legal teams and external forensic specialists to catalogue and pre-filter the restoration process.
In-house and External Experts
Data collection options include having an expert perform an onsite data collection or using “do-it-yourself” data collection software to collect the data. Discrete onsite data collections are particularly useful in a case where ongoing misconduct is suspected and there are risks associated with keeping the target of an investigation from becoming aware that the data collection has occurred. In addition, the use of external forensic experts and tools to retrieve data has the benefit of rapid collection, neutrality and minimising business disruption. Often, onsite data collections can be completed during non-business hours so that business operations are affected only for a limited time (if at all) during the process.
As internal resources become more aware of the legal and technical challenges of data collections, they are increasingly conducting computer forensic methods in-house. A significant amount of preparation must be completed before internal resources are set the challenge of collecting data, particularly when reviewing the amount of data storage space and the range of applications owned. This is often a significant point of discussion within internal teams as the infrastructure of the IT systems must be able to cope with large volumes and varieties of data.
Regardless of which collection method is chosen, the lawyers handling a case should make certain that the individual collecting the data is adequately trained to understand various topologies of information technology systems to ensure the data gathering process is efficient and conforms to forensic standards. Irrespective of whether an organisation needs to implement in-house or external experts, a review of the evidence landscape must be conducted before embarking on a data collection to maximise the usefulness of their resources.
With an ever changing evidence landscape, data collection processes produces a number of challenges for both the legally and technically minded. From the identification of which documents to collect, to the resources assigned to conduct the retrieval, due consideration in the planning stage can significantly reduce the issues, volume and impact of a data collection exercise. These methods are assisting lawyers to better identify the most relevant electronic documents from a much earlier stage in their investigations and cases. In today’s legal processes, therefore, forensic collection and filtering techniques are helping to make the challenging process of appropriate and proportionate response much easier to justify.
Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.
Copyright 2007 Kroll Ontrack, Inc & Kroll Ontrack Legal Technologies Ltd.
