Data and the law - How digital forensics supports litigation

The amount of electronic data in use and stored globally has grown to stratospheric levels, with no sign of slowing down. Current predictions are that the amount of data stored worldwide by 2025 will exceed 175 zettabytes. Or, in more sensible terms, a data volume that would take you 1.8 billion years to download via a standard internet connection.

It naturally follows that digital forensics and efficient, targeted e-discovery are increasingly critical to cases across the breadth of the legal spectrum. The ability to secure, extract, process and analyse large volumes of digital data can make the difference between success and failure in the court room.This is especially true in litigation, where the sheer volume of electronically stored information, or ESI, can present some unique and formidable challenges.

But how do digital forensics professionals work with law firms to support litigation?

Firstly, it’s worth taking a moment to consider the types of data that can be collected. Broadly, data can be categorised as: active data, cloud data, mobile data, offline data, backup data and hidden data.

Active data comprises the sort of information with which a typical user might interact daily, such as e-mails and working files. Active data is usually stored on the local hard drives of individual computers or on shared storage, which can be accessed via a personal or corporate network.

Cloud data resides on servers and is usually accessed via a public network, such as the internet. Cloud data might be stored on a private cloud – owned and operated by the company that owns the data – or on systems operated by a commercial cloud storage provider, such as Microsoft, Amazon or Google. Cloud data also encompasses the data held by providers of professional hosted services, as well as consumer services, such as social networking.

Offline data is that data which is no longer in active use but which is archived, either on local devices (such as removable media) or in a data centre.

Backup data typically comprises a snapshot of an organisation’s active data and is designed for disaster recovery use. This data is often stored in a compressed and sometimes proprietary format and must first be restored before it can be accessed. Backup data often comprises a series of periodic or incremental backups. This can allow for the recovery of historic material, which may have subsequently been deleted from both active and offline data sources.

Hidden data includes data that has previously been deleted from computer systems and which can be recovered using specialist forensics tools. The fact that hidden data is relatively inaccessible means that it is typically spared from any destructive efforts on the part of a user, although the nature and recoverability of hidden data can be unpredictable.

The first step is to identify those types of data which are relevant, both to the current issues in a case and those which might arise over the potentially lengthy period leading up to settlement or judgement.

Careful consideration should then be given to the potential volumes of data that might be involved, the sources of that data and accessibility and time constraints. Whether a case falls wholly within the civil arena, or whether it might have a parallel criminal track, will also inform decisions around the most proportionate approach to data collection and preservation. For example, there is significant variation in the complexity and cost associated with preserving a physical image of data (i.e. the entire content of a data storage device, including deleted files and other artefacts) vs a logical image (just the active data) or even performing a targeted collection (selectively preserving just a specific set of files or documents). 

Once the initial scoping phase is complete, a data collection and preservation plan can be formulated. It is important at this stage for the forensic professional to work closely with legal representatives and, potentially, data custodians. Detailed technical information is often required at this stage in order to set out a plan which is proportionate, comprehensively documented and forensically defensible.

At this stage, care must be taken to ensure that evidence handling considerations are properly satisfied. Conventional techniques, such as comprehensive chain of evidence documentation, audit trailing and so forth have a role to play, alongside methods specifically designed to preserve the integrity of potentially volatile digital evidence.For example, the use of recognised and validated forensic techniques, specialist methods for encapsulating digital evidence in tamper-proof electronic packages and hashing – which generates a digital fingerprint of source data – all help to both preserve and demonstrate evidential integrity.

Once collected, the digital evidence must be processed and analysed in a manner which addresses the practical issues identified in the legal case. This can range from a detailed forensic examination of narrow aspect of a subset of the digital evidence at one end of the spectrum, through to a broad e-discovery exercise at the other.

In any event, specialist tools and techniques have a further role to play in ensuring that the collected evidence is analysed efficiently and with the greatest possible focus.
In cases where there is a need to pick out specific material from huge volumes of data, highly sophisticated e-discovery tools can allow for near-instant searches to be run over millions of e-mails and other documents, and their associated metadata. Optical character recognition, machine learning and intelligent classification can help to save thousands of reviewer hours.

What’s more, these review tools can be made directly accessible to legal teams, allowing for a greater degree of agility and responsiveness in analysing digital material. At the end of this e-discovery phase, documents identified as relevant can be checked, redacted and produced as bundles, ready for disclosure in standardised formats.

Working with a qualified digital forensics professional brings more than just specialist technical knowledge. It allows for a legal team to identify relevant sources of digital evidence, ensure that it is comprehensively collected and examined, and leverage the information it contains to provide insight in relation to specific legal issues. Done well, this can save a great deal of time and cost, as well as impacting enormously on the outcome of a case.