What is data collection in forensic?

Forensic data collections are expansive. They can be anything from a single email account or cell phone to all the computers of upper management in a large corporation. Regardless of size, they all need to be collected in a safe forensic manner.

You might ask why it matters how it is collected. If the document, email, database or folder can be read, then what is the worry? The worry you should have is admissibility in court.

Let us help you ensure the facts you need can be used in court.

The Importance of Defensible Forensic Data

When a document needs to be used in court, the way it was collected must be defensible. That means opposing counsel must be convinced that nothing has been deleted or altered.

This is done by looking at the metadata. When data is not collected in a forensically sound manner, you inherently change the metadata, whether you mean to or not. Once opposing counsel objects because of spoiled metadata, it is out, and sanctions and/or summary judgment on your case can be right around the corner.

Data collections need to be performed by an independent third party. Having your client’s IT staff collect the data can present a conflict of interest, and it’s likely they do not possess the tools and skills to do this properly. Making sure the data is collected correctly is key to finding and using deleted data in your case.

Problems in Forensic Data Collections

Forensic data collection is critical to a court case and when not collected correctly, issues arise. Problems that often occur with forensic data collection include:

1. They are not done correctly most of the time. Copying and pasting documents onto a thumb drive is not the best idea.
2. It’s not very defensible. If an organization, or a member of the organization’s IT staff collected the data, the argument can be made it might have been done with a certain amount of prejudice. Opposing counsel would have reason to believe a key piece of evidence might have been left out. The solution is to outsource, moving the liability to the third party collecting the data.
3. Most people don’t know what is capable of being collected.

We’ve broken down six ways that forensic accounting and digital forensic experts can help your litigation case.

How to Properly Collect Forensic Data

It used to be that data collections were a simple matter of placing documents into a forensic image and then sending it off for review. Today, the solutions are much more complex and cost-effective.

On-site collections are the most standard form of forensic data collections. This is going on-site to collect data directly from laptops, servers, desktops and cell phones. Everything should be collected in a sound court-approved manner. This is normally done for larger collection batches of data.

Remote collections are collections much like an on-site collection, only smaller in nature, which allows them to be performed remotely, thus saving you money. In order to perform remote collections, the third party will need to work with your IT staff to gain secure access to the network.

Targeted collections are a collection of data performed either on-site or remotely for a specific set of data. This can be done by collecting a set of data by a certain time period or folder. This is best if you know exactly what it is that you need to be collected.

Cloud collections are forensic data collections that require harvesting data from cloud storage areas. This would include Gmail, Yahoo, Hotmail, Dropbox, Google Drive, etc. It is possible to forensically extract cloud-based data for use in court.

Social media forensic data collections have become more and more relevant in both civil and criminal cases. This is forensically collecting from Facebook, Twitter, Instagram, YouTube, to name a few.

Mobile device forensic data collections are the collections of cellphones and tablets. Multiple tools are available for collecting from thousands of different types of mobile devices. Deleted text messages and other social media are among a few of the types of items that can be retrieved from cell phone forensic collections.

Culled forensic data collections are the combination of any of the above-listed collection methods, but with the ability to cull only the responsive data while the collection is taking place. Culling data is the practice of narrowing a large data set into a smaller one for review, based on specific criteria such as dates or keywords.

The Role of Deleted Data in Litigation
Deleted data can be almost anything that once resided on a memory-based device. Pictures, videos, PowerPoint presentations, documents, audio files, call logs, text messages, emails—the list can go on and on.

Preservation Letter
A key way to ensure you get electronic data is through a preservation letter. Here are a few tips on how to create a defensible preservation letter:

• Don’t ask for everything. Your preservation request can’t ask for everything electronic. Most judges will find this burdensome. Rather, your preservation request needs to be targeted and specific.
• Request the specific items based on the device. If you are going after deleted data, you will want to request a full physical forensic image of the hard drive of the computer in question. If it’s an Android cellphone, you will want to request the three following images: logical, file system and physical (where applicable). If it’s an Apple device, you will want to request logical, file system, method one and method two images. Other items to be requested can include smart watches, USB drives, email accounts, GPS devices, voice recorders, cloud-based accounts, any external hard drives that have been plugged into a computer in question, among others.
• Request the metadata. It is important to always request the metadata. This can be redundant but ensures you receive everything in an electronic format and shows you will be examining the metadata in the case.

Analyzing the Data
Analyzing the deleted data is key to your success and can greatly enhance the electronic discovery process. To reduce time and fees to the forensic examiner, the more you can tell the examiner, the better. Dates, search terms, type of document, timelines and websites can bring you closer to the deleted truth.

Deleted data can reside in multiple places on a computer. It's important to find it and be able to explain why it was found in a certain area of the computer. Piecing together the puzzle can go rather quickly in many circumstances. Today, computer forensic software has evolved to allow the examiner to perform multiple tasks in a fraction of the time it used to take. Deleted data can uncover photos, videos, previous versions of documents, web history, chat logs and even deleted text messages.

Presenting the Data
The ability to present the data can make or break a case. Presenting the recovered data in a clear way that explains complex terminology in an easy to understand way is crucial. Allow for an explanation and breakdown of complex terms and industry jargon.

Knowing how to present information in court is vital to your case.

A Lawyer’s Duty of Technical Competence

The advancements in technology in the past decade have allowed lawyers to change the way they communicate, investigate, secure client information, market their services and even receive payments. In addition to the benefits technology has facilitated not only to lawyers but to the global business arena, it has spawned equally significant complications and issues for attorneys in the court room.

What is the attorney’s role when it comes to data collection and technical competence? Fundamentally, an attorney’s ethical duty is to provide competent representation to his or her client. In maintaining competence, an attorney “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology .” 

A basic understanding of technology used in the practice of law
“To secure client data, to retain investigative or paraprofessional services, or in hiring a document retention company to create and maintain information for complex eDiscovery cases, a lawyer must give appropriate instruction and take reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.”

Model Rules of Professional Conduct: Rule 5.3

Hiring an attorney who can navigate relevant technology is in a client’s best interest. The duty of technological competence does not mean an attorney or their paralegal needs to become a technology expert, but it does require basic understanding of the technology they use to practice law and the technology employed by their clients in legal matters. They also need to understand the electronic risks and benefits afforded by those pieces of technology.

It is unlikely that technology will take a break from revolutionizing our world, and one can only expect that the required proficiencies for lawyers will also continue to grow. Just as the public seeks legal advice from a qualified attorney and not their legal assistant, a trained and vetted computer forensic expert can explain, for example, how or if documents were securely preserved and untampered.

Utilizing Forensic and Digital Data in a Court Case

Data collections are a key component in your case. Do it wrong and evidence could be thrown out or key metadata could be altered and irreversible and potentially destroy your case.

Ensuring clients are satisfying their disclosure requirements as well as making sure opposing parties or third parties are preserving relevant documents is crucial to success. Common items such as internet history, deleted text messages, phone apps and social media all play a large part in a litigation case.

Forensic accounting and digital forensics have a firm place in the courtroom.

Learn how forensic accounting and digital forensics can help your litigation case.

What are the different data collection methods in forensics?

What are the four steps in the forensic data collection process?

How is data used in a forensic investigation?

What is targeted data collection?