The amount of electronic data in use and stored globally has
grown to stratospheric levels, with no sign of slowing down. Current predictions
are that the amount of data stored worldwide by 2025 will exceed 175
zettabytes. Or, in more sensible terms, a data volume that would take you 1.8
billion years to download via a standard internet connection.
It naturally follows that digital forensics and efficient, targeted
e-discovery are increasingly critical to cases across the breadth of the legal
spectrum. The ability to secure, extract, process and analyse large volumes of digital
data can make the difference between success and failure in the court room.This is especially true in litigation, where the sheer
volume of electronically stored information, or ESI, can present some unique and
formidable challenges.
But how do digital forensics professionals work with law
firms to support litigation?
Firstly, it’s worth taking a moment to consider the types of
data that can be collected. Broadly, data can be categorised as: active data, cloud
data, mobile data, offline data, backup data and hidden data.
Active data comprises the sort of information with which
a typical user might interact daily, such as e-mails and working files. Active
data is usually stored on the local hard drives of individual computers or on shared
storage, which can be accessed via a personal or corporate network.
Cloud data resides on servers and is usually accessed
via a public network, such as the internet. Cloud data might be stored on a
private cloud – owned and operated by the company that owns the data – or on
systems operated by a commercial cloud storage provider, such as Microsoft, Amazon
or Google. Cloud data also encompasses the data held by providers of professional
hosted services, as well as consumer services, such as social networking.
Offline data is that data which is no longer in active
use but which is archived, either on local devices (such as removable media)
or in a data centre.
Backup data typically comprises a snapshot of an
organisation’s active data and is designed for disaster recovery use. This data
is often stored in a compressed and sometimes proprietary format and must first
be restored before it can be accessed. Backup data often comprises a series of periodic
or incremental backups. This can allow for the recovery of historic material,
which may have subsequently been deleted from both active and offline data
sources.
Hidden data includes data that has previously been deleted
from computer systems and which can be recovered using specialist forensics
tools. The fact that hidden data is relatively inaccessible means that it is
typically spared from any destructive efforts on the part of a user, although
the nature and recoverability of hidden data can be unpredictable.
The first step is to identify those types of data which are
relevant, both to the current issues in a case and those which might arise over
the potentially lengthy period leading up to settlement or judgement.
Careful consideration should then be given to the potential volumes
of data that might be involved, the sources of that data and accessibility and
time constraints. Whether a case falls wholly within the civil arena, or
whether it might have a parallel criminal track, will also inform decisions
around the most proportionate approach to data collection and preservation. For
example, there is significant variation in the complexity and cost associated
with preserving a physical image of data (i.e. the entire content of a
data storage device, including deleted files and other artefacts) vs a logical
image (just the active data) or even performing a targeted collection
(selectively preserving just a specific set of files or documents).
Once the initial scoping phase is complete, a data collection
and preservation plan can be formulated. It is important at this stage for the forensic
professional to work closely with legal representatives and, potentially, data
custodians. Detailed technical information is often required at this stage in
order to set out a plan which is proportionate, comprehensively documented and forensically
defensible.
At this stage, care must be taken to ensure that evidence
handling considerations are properly satisfied. Conventional techniques, such
as comprehensive chain of evidence documentation, audit trailing and so forth have
a role to play, alongside methods specifically designed to preserve the
integrity of potentially volatile digital evidence.For example, the use of recognised and validated forensic
techniques, specialist methods for encapsulating digital evidence in
tamper-proof electronic packages and hashing – which generates a digital
fingerprint of source data – all help to both preserve and demonstrate
evidential integrity.
Once collected, the digital evidence must be processed and analysed
in a manner which addresses the practical issues identified in the legal case.
This can range from a detailed forensic examination of narrow aspect of a
subset of the digital evidence at one end of the spectrum, through to a broad
e-discovery exercise at the other.
In any event, specialist tools and techniques have a further
role to play in ensuring that the collected evidence is analysed efficiently
and with the greatest possible focus.
In cases where there is a need to pick out specific material
from huge volumes of data, highly sophisticated e-discovery tools can allow for
near-instant searches to be run over millions of e-mails and other documents,
and their associated metadata. Optical character recognition, machine learning and
intelligent classification can help to save thousands of reviewer hours.
What’s more, these review tools can be made directly
accessible to legal teams, allowing for a greater degree of agility and
responsiveness in analysing digital material. At the end of this e-discovery
phase, documents identified as relevant can be checked, redacted and produced as
bundles, ready for disclosure in standardised formats.
Working with a qualified digital forensics professional brings
more than just specialist technical knowledge. It allows for a legal team to
identify relevant sources of digital evidence, ensure that it is
comprehensively collected and examined, and leverage the information it
contains to provide insight in relation to specific legal issues. Done well, this
can save a great deal of time and cost, as well as impacting enormously on the
outcome of a case.