Electronic Discovery Made Easy : Electronic Discovery & Document Management Commentary : David Rostov : Lighthouse Document Technologies : Litigation Support News & Updates

By David Rostov and Debora Motyka Jones

There is a fair amount of confusion regarding collections of client data.  To help guide your approach to collections, we have provided an overview of the top five questions and their answers.

How should collections be performed?

·        All data collections should be performed in a forensically sound manner. This means that the collection should done using sound, defensible manner using industry accepted tools and procedures. The collection should produce an accurate representation of the source evidence.

Targeted Collection versus Full Forensic Collection?

·        A targeted collection includes only active files deemed relevant to the case (e.g. emails and Microsoft office documents). 

• Reduces cost and time due to faster collection time and less data. 
• It does not preserve deleted data.
  • Some additional spoliation risk.
  • The methodology may be easier to challenge in court.

·        A forensic collection is a bit-for-bit copy of the entire hard drive including all active files, deleted files, file fragments and blank space.

• Preserves all data reducing the risk of spoliation.
• Has greater legal defensibility.
• However, it is more expensive.

If files are deleted, what can be recovered?

·        When the content of the file remains on the drive AND

o       Files are in the Windows Recycle Bin;

o       Files have not been overwritten by a new file;

o       Files are partially overwritten.

·        When the content is in a PST AND

o       The damaged/corrupted files, “Deleted Items” files and partially overwritten files are identified and recovered into a new PST file.

If files are deleted, what cannot be recovered?

·        Files that were completely overwritten with new files.

·        Drives that were “wiped” using wiping software.

·        Drives that were physically damaged and cannot be repaired
(even in a lab environment).

What are the leading industry software tools for collection?

·        EnCase and FTK Imager for forensic collections.

o       This is the “gold” standard used by law enforcement as well. 

·        Paraben’s Device Seizure for cell phone collections.

·        Microsoft ExMerge for Exchange server collection.

·        Microsoft Robocopy often used for Targeted Collections.

·        Microsoft NTBackup for backup files (.bkf).

·        Symantec Norton Ghost for backup and recovering files.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

To-date, most litigation electronic discovery requests are limited to custodian email and loose documents. The requests ignore custodian mobile phone data, in particular stored text messages.  The next big eDiscovery collection trend for litigation will likely be the collection of text messages from mobile phones.

Text messaging is still viewed as something that only teenagers really use. However, the usage data on text messaging is quite revealing. Over 70% of Americans ages 25 to 49 use text messaging. The average number of texts sent per day per user in the US is over 10. In 2008, the number of text messages sent surpassed mobile phone calls. And text messaging is growing at 100 to 200% per year.

To put texting in its proper context, it is estimated that Americans send about 30 emails per day (the data on this is not very precise). This means that texting accounts for ¼ of the daily electronic correspondence sent in the US.

The first step in any forensics investigation is identifying sources of evidence.  Mobile phones store evidence in a variety of locations and media formats. Similar to desktop computers, most cell phones have an internal memory and a removable storage media (SD Cards).  Depending on the carrier, an internal SIM (Security Identity Module) card stores pertinent information, such as phone numbers, contacts, and unique subscriber registration data.

As with computer collections, mobile device collections should be done in a forensically sound manner. This means that the data collected must be collected without changing the original device content. A forensic hash should be performed on the collected data to insure that no subsequent changes are made to the data. Keep in mind that the data on mobile devices is constantly changing (e.g. clock time, network data, etc.) so it is important to make an exact replica as quickly as possible.

The main challenge with mobile collections is that most cellular phones use a proprietary operating system. This is compounded by the fact that new mobile devices are constantly being introduced into the market making it a challenge to stay current on the collections tools. Often the hardest part in the collection is just having the right phone adapter on hand to be able to do the data transfer from the phone to the acquiring computer.

After making a copy of the phone data, the next step is to analyze the data. The forensic tools available for analysis and processing are still in their early stage of development. However, there are a number of forensic tools available such as Paraben’s Device Seizure Toolkit and Guidance Software’s Neutrino.  Paraben’s Device Seizure is probably the most common tool used both by law enforcement as well as for commercial litigation.  These tools are very similar to traditional forensics software utilities and offer many of the same capabilities and functionally, such as text viewing and keyword. During the analysis phase text messages, e-mails and contacts can be identified, undeleted (if necessary), searched, and exported for review or further processing. If you are interested in more information on mobile collections, The National Institute of Standards and Technology (NIST) has a good overview.

• Email This
• Print
• Comments
• Trackbacks
• Share Link